16.2. Types
The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
By default, mounted NFS volumes on the client side are labeled with a default context defined by policy for NFS. In common policies, this default context uses the
nfs_t
type. The root user is able to override the default type using the mount -context
option. The following types are used with NFS. Different types allow you to configure flexible access:
var_lib_nfs_t
- This type is used for existing and new files copied to or created in the
/var/lib/nfs/
directory. This type should not need to be changed in normal operation. To restore changes to the default settings, run therestorecon -R -v /var/lib/nfs
command as the root user. nfsd_exec_t
- The
/usr/sbin/rpc.nfsd
file is labeled with thenfsd_exec_t
, as are other system executables and libraries related to NFS. Users should not label any files with this type.nfsd_exec_t
will transition tonfsd_t
.