Product SiteDocumentation Site

9.4.8. The file_t and default_t Types

For file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy. In common policies, this default context uses the file_t type. This should be the only use of this type, so that files without a context on disk can be distinguished in policy, and generally kept inaccessible to confined domains. The file_t type should not exist on correctly-labeled file systems, because all files on a system running SELinux should have an SELinux context, and the file_t type is never used in file-context configuration[23].
The default_t type is used on files that do not match any other pattern in file-context configuration, so that such files can be distinguished from files that do not have a context on disk, and generally kept inaccessible to confined domains. If you create a new top-level directory, such as /mydirectory/, this directory may be labeled with the default_t type. If services need access to such a directory, update the file-contexts configuration for this location. Refer to Section, “Persistent Changes: semanage fcontext” for details on adding a context to the file-context configuration.

[23] Files in /etc/selinux/targeted/contexts/files/ define contexts for files and directories. Files in this directory are read by restorecon and setfiles to restore files and directories to their default contexts.