.RS
.TP
.B async
-All I/O to the file system should be done asynchronously.
+All I/O to the file system should be done asynchronously. (See also the
+.B sync
+option.)
.TP
.B atime
Update inode access time for each access. This is the default.
.TP
+.B noatime
+Do not update inode access times on this file system (e.g, for faster
+access on the news spool to speed up news servers).
+.TP
.B auto
Can be mounted with the
.B \-a
option.
+.TP
+.B noauto
+Can only be mounted explicitly (i.e., the
+.B \-a
+option will not cause the file system to be mounted).
+.TP
+\fBcontext=\fP\fIcontext\fP, \fBfscontext=\fP\fIcontext\fP and \fBdefcontext=\fP\fIcontext\fP
+The
+.BR context=
+option is useful when mounting filesystems that do not support
+extended attributes, such as a floppy or hard disk formatted with VFAT, or
+systems that are not normally running under SELinux, such as an ext3 formatted
+disk from a non-SELinux workstation. You can also use
+.BR context=
+on filesystems you do not trust, such as a floppy. It also helps in compatibility with
+xattr-supporting filesystems on earlier 2.4.<x> kernel versions. Even where
+xattrs are supported, you can save time not having to label every file by
+assigning the entire disk one security context.
+
+A commonly used option for removable media is
+.BR context=system_u:object_r:removable_t .
+
+Two other options are
+.BR fscontext=
+and
+.BR defcontext= ,
+both of which are mutually exclusive of the context option. This means you
+can use fscontext and defcontext with each other, but neither can be used with
+context.
+
+The
+.BR fscontext=
+option works for all filesystems, regardless of their xattr
+support. The fscontext option sets the overarching filesystem label to a
+specific security context. This filesystem label is separate from the
+individual labels on the files. It represents the entire filesystem for
+certain kinds of permission checks, such as during mount or file creation.
+Individual file labels are still obtained from the xattrs on the files
+themselves. The context option actually sets the aggregate context that
+fscontext provides, in addition to supplying the same label for individual
+files.
+
+You can set the default security context for unlabeled files using
+.BR defcontext=
+option. This overrides the value set for unlabeled files in the policy and requires a
+file system that supports xattr labeling.
+
+For more details see
+.BR selinux (8)
+
.TP
.B defaults
Use default options:
.B dev
Interpret character or block special devices on the file system.
.TP
+.B nodev
+Do not interpret character or block special devices on the file
+system.
+.TP
+.B diratime
+Update directory inode access times on this filesystem. This is the default.
+.TP
+.B nodiratime
+Do not update directory inode access times on this filesystem.
+.TP
+.B dirsync
+All directory updates within the file system should be done synchronously.
+This affects the following system calls: creat, link, unlink, symlink,
+mkdir, rmdir, mknod and rename.
+.TP
.B exec
Permit execution of binaries.
.TP
+.B noexec
+Do not allow direct execution of any binaries on the mounted file system.
+(Until recently it was possible to run binaries anyway using a command like
+/lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.)
+.TP
.B group
Allow an ordinary (i.e., non-root) user to mount the file system if one
of his groups matches the group of the device.
.B noiversion
Do not increment the i_version inode field.
.TP
-.B nofail
-Do not report errors for this device if it does not exist.
-.TP
.B mand
Allow mandatory locks on this filesystem. See
.BR fcntl (2).
.TP
+.B nomand
+Do not allow mandatory locks on this filesystem.
+.TP
.B _netdev
The filesystem resides on a device that requires network access
(used to prevent the system from attempting to mount these filesystems
until the network has been enabled on the system).
.TP
-.B noatime
-Do not update inode access times on this file system (e.g, for faster
-access on the news spool to speed up news servers).
-.TP
-.B nodiratime
-Do not update directory inode access times on this filesystem.
+.B nofail
+Do not report errors for this device if it does not exist.
.TP
.B relatime
Update inode access times relative to modify or change time. Access
feature (e.g, for systems where the feature is enabled by default, for
more details see mount options in /proc/mounts).
.TP
-.B noauto
-Can only be mounted explicitly (i.e., the
-.B \-a
-option will not cause the file system to be mounted).
-.TP
-.B nodev
-Do not interpret character or block special devices on the file
-system.
-.TP
-.B noexec
-Do not allow direct execution of any binaries on the mounted file system.
-(Until recently it was possible to run binaries anyway using a command like
-/lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.)
-.TP
-.B nomand
-Do not allow mandatory locks on this filesystem.
+.B suid
+Allow set-user-identifier or set-group-identifier bits to take
+effect.
.TP
.B nosuid
Do not allow set-user-identifier or set-group-identifier bits to take
effect. (This seems safe, but is in fact rather unsafe if you have
suidperl(1) installed.)
.TP
-.B nouser
-Forbid an ordinary (i.e., non-root) user to mount the file system.
-This is the default.
-.TP
.B owner
Allow an ordinary (i.e., non-root) user to mount the file system if he
is the owner of the device.
.B rw
Mount the file system read-write.
.TP
-.B suid
-Allow set-user-identifier or set-group-identifier bits to take
-effect.
-.TP
.B sync
All I/O to the file system should be done synchronously. In case of media with limited number of write cycles
(e.g. some flash drives) "sync" may cause life-cycle shortening.
.TP
-.B dirsync
-All directory updates within the file system should be done synchronously.
-This affects the following system calls: creat, link, unlink, symlink,
-mkdir, rmdir, mknod and rename.
-.TP
.B user
Allow an ordinary user to mount the file system.
The name of the mounting user is written to mtab so that he can unmount
(unless overridden by subsequent options, as in the option line
.BR user,exec,dev,suid ).
.TP
+.B nouser
+Forbid an ordinary (i.e., non-root) user to mount the file system.
+This is the default.
+.TP
.B users
Allow every user to mount and unmount the file system.
This option implies the options
.BR noexec ", " nosuid ", and " nodev
(unless overridden by subsequent options, as in the option line
.BR users,exec,dev,suid ).
-.TP
-\fBcontext=\fP\fIcontext\fP, \fBfscontext=\fP\fIcontext\fP and \fBdefcontext=\fP\fIcontext\fP
-The
-.BR context=
-option is useful when mounting filesystems that do not support
-extended attributes, such as a floppy or hard disk formatted with VFAT, or
-systems that are not normally running under SELinux, such as an ext3 formatted
-disk from a non-SELinux workstation. You can also use
-.BR context=
-on filesystems you do not trust, such as a floppy. It also helps in compatibility with
-xattr-supporting filesystems on earlier 2.4.<x> kernel versions. Even where
-xattrs are supported, you can save time not having to label every file by
-assigning the entire disk one security context.
-
-A commonly used option for removable media is
-.BR context=system_u:object_r:removable_t .
-
-Two other options are
-.BR fscontext=
-and
-.BR defcontext= ,
-both of which are mutually exclusive of the context option. This means you
-can use fscontext and defcontext with each other, but neither can be used with
-context.
-
-The
-.BR fscontext=
-option works for all filesystems, regardless of their xattr
-support. The fscontext option sets the overarching filesystem label to a
-specific security context. This filesystem label is separate from the
-individual labels on the files. It represents the entire filesystem for
-certain kinds of permission checks, such as during mount or file creation.
-Individual file labels are still obtained from the xattrs on the files
-themselves. The context option actually sets the aggregate context that
-fscontext provides, in addition to supplying the same label for individual
-files.
-
-You can set the default security context for unlabeled files using
-.BR defcontext=
-option. This overrides the value set for unlabeled files in the policy and requires a
-file system that supports xattr labeling.
-
-For more details see
-.BR selinux (8)
.RE
.TP
.B \-\-bind