By default, when a file system that supports extended attributes is mounted, the security context for each file is obtained from the security.selinux extended attribute of the file. Files in file systems that do not support extended attributes are assigned a single, default security context from the policy configuration, based on file system type.
Use the mount -o context
command to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes. This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems. The mount -o context
command can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS file systems. The context specified with the context
is not written to disk: the original contexts are preserved, and are seen when mounting without a context
option (if the file system had extended attributes in the first place).
For further information about file system labeling, refer to James Morris's "Filesystem Labeling in SELinux" article: http://www.linuxjournal.com/article/7426.
To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the Linux root user, use the mount -o context=
command when mounting the desired file system. Context changes are not written to disk. By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the SELinux_user:role:type:level
nfs_t
type. Without additional mount options, this may prevent sharing NFS file systems via other services, such as the Apache HTTP Server. The following example mounts an NFS file system so that it can be shared via the Apache HTTP Server:
# mount server:/export /local/mount/point -o\ context="system_u:object_r:httpd_sys_content_t:s0"
Newly-created files and directories on this file system appear to have the SELinux context specified with -o context
; however, since context changes are not written to disk for these situations, the context specified with the context
option is only retained if the context
option is used on the next mount, and if the same context is specified.
Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored, so, when overriding the SELinux context with -o context
, use the SELinux system_u
user and object_r
role, and concentrate on the type. If you are not using the MLS policy or multi-category security, use the s0
level.
When a file system is mounted with a context
option, context changes (by users and processes) are prohibited. For example, running chcon
on a file system mounted with a context
option results in a Operation not supported
error.