5.8. The file_t and default_t Types
On file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the
file_t
type. This should be the only use of this type, so that files without a context on disk can be distinguished in policy, and generally kept inaccessible to confined domains. The
file_t
type should not exist on correctly-labeled file systems, because all files on a system running SELinux should have an SELinux context, and the
file_t
type is never used in file-context configuration
[11].
The
default_t
type is used on files that do not match any other pattern in file-context configuration, so that such files can be distinguished from files that do not have a context on disk, and generally kept inaccessible to confined domains. If you create a new top-level directory, such as
/mydirectory/
, this directory may be labeled with the
default_t
type. If services need access to such a directory, update the file-contexts configuration for this location. Refer to
Section 5.7.2, “Persistent Changes: semanage fcontext” for details on adding a context to the file-context configuration.