From: Karel Zak Date: Thu, 27 Nov 2008 12:03:25 +0000 (+0100) Subject: mount: reorder list of options in mount.8 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b825eb893b1ba0ca97862c836e1da98c2d6454fd;p=util-linux mount: reorder list of options in mount.8 Signed-off-by: Karel Zak --- diff --git a/mount/mount.8 b/mount/mount.8 index 1846e11a..1d5b5b6f 100644 --- a/mount/mount.8 +++ b/mount/mount.8 @@ -608,15 +608,71 @@ option today has effect only for ext2, ext3, fat, vfat and ufs): .RS .TP .B async -All I/O to the file system should be done asynchronously. +All I/O to the file system should be done asynchronously. (See also the +.B sync +option.) .TP .B atime Update inode access time for each access. This is the default. .TP +.B noatime +Do not update inode access times on this file system (e.g, for faster +access on the news spool to speed up news servers). +.TP .B auto Can be mounted with the .B \-a option. +.TP +.B noauto +Can only be mounted explicitly (i.e., the +.B \-a +option will not cause the file system to be mounted). +.TP +\fBcontext=\fP\fIcontext\fP, \fBfscontext=\fP\fIcontext\fP and \fBdefcontext=\fP\fIcontext\fP +The +.BR context= +option is useful when mounting filesystems that do not support +extended attributes, such as a floppy or hard disk formatted with VFAT, or +systems that are not normally running under SELinux, such as an ext3 formatted +disk from a non-SELinux workstation. You can also use +.BR context= +on filesystems you do not trust, such as a floppy. It also helps in compatibility with +xattr-supporting filesystems on earlier 2.4. kernel versions. Even where +xattrs are supported, you can save time not having to label every file by +assigning the entire disk one security context. + +A commonly used option for removable media is +.BR context=system_u:object_r:removable_t . + +Two other options are +.BR fscontext= +and +.BR defcontext= , +both of which are mutually exclusive of the context option. This means you +can use fscontext and defcontext with each other, but neither can be used with +context. + +The +.BR fscontext= +option works for all filesystems, regardless of their xattr +support. The fscontext option sets the overarching filesystem label to a +specific security context. This filesystem label is separate from the +individual labels on the files. It represents the entire filesystem for +certain kinds of permission checks, such as during mount or file creation. +Individual file labels are still obtained from the xattrs on the files +themselves. The context option actually sets the aggregate context that +fscontext provides, in addition to supplying the same label for individual +files. + +You can set the default security context for unlabeled files using +.BR defcontext= +option. This overrides the value set for unlabeled files in the policy and requires a +file system that supports xattr labeling. + +For more details see +.BR selinux (8) + .TP .B defaults Use default options: @@ -625,9 +681,29 @@ Use default options: .B dev Interpret character or block special devices on the file system. .TP +.B nodev +Do not interpret character or block special devices on the file +system. +.TP +.B diratime +Update directory inode access times on this filesystem. This is the default. +.TP +.B nodiratime +Do not update directory inode access times on this filesystem. +.TP +.B dirsync +All directory updates within the file system should be done synchronously. +This affects the following system calls: creat, link, unlink, symlink, +mkdir, rmdir, mknod and rename. +.TP .B exec Permit execution of binaries. .TP +.B noexec +Do not allow direct execution of any binaries on the mounted file system. +(Until recently it was possible to run binaries anyway using a command like +/lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.) +.TP .B group Allow an ordinary (i.e., non-root) user to mount the file system if one of his groups matches the group of the device. @@ -642,24 +718,20 @@ Every time the inode is modified, the i_version field will be incremented. .B noiversion Do not increment the i_version inode field. .TP -.B nofail -Do not report errors for this device if it does not exist. -.TP .B mand Allow mandatory locks on this filesystem. See .BR fcntl (2). .TP +.B nomand +Do not allow mandatory locks on this filesystem. +.TP .B _netdev The filesystem resides on a device that requires network access (used to prevent the system from attempting to mount these filesystems until the network has been enabled on the system). .TP -.B noatime -Do not update inode access times on this file system (e.g, for faster -access on the news spool to speed up news servers). -.TP -.B nodiratime -Do not update directory inode access times on this filesystem. +.B nofail +Do not report errors for this device if it does not exist. .TP .B relatime Update inode access times relative to modify or change time. Access @@ -674,32 +746,15 @@ Do not use feature (e.g, for systems where the feature is enabled by default, for more details see mount options in /proc/mounts). .TP -.B noauto -Can only be mounted explicitly (i.e., the -.B \-a -option will not cause the file system to be mounted). -.TP -.B nodev -Do not interpret character or block special devices on the file -system. -.TP -.B noexec -Do not allow direct execution of any binaries on the mounted file system. -(Until recently it was possible to run binaries anyway using a command like -/lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.) -.TP -.B nomand -Do not allow mandatory locks on this filesystem. +.B suid +Allow set-user-identifier or set-group-identifier bits to take +effect. .TP .B nosuid Do not allow set-user-identifier or set-group-identifier bits to take effect. (This seems safe, but is in fact rather unsafe if you have suidperl(1) installed.) .TP -.B nouser -Forbid an ordinary (i.e., non-root) user to mount the file system. -This is the default. -.TP .B owner Allow an ordinary (i.e., non-root) user to mount the file system if he is the owner of the device. @@ -740,19 +795,10 @@ Mount the file system read-only. .B rw Mount the file system read-write. .TP -.B suid -Allow set-user-identifier or set-group-identifier bits to take -effect. -.TP .B sync All I/O to the file system should be done synchronously. In case of media with limited number of write cycles (e.g. some flash drives) "sync" may cause life-cycle shortening. .TP -.B dirsync -All directory updates within the file system should be done synchronously. -This affects the following system calls: creat, link, unlink, symlink, -mkdir, rmdir, mknod and rename. -.TP .B user Allow an ordinary user to mount the file system. The name of the mounting user is written to mtab so that he can unmount @@ -762,56 +808,16 @@ This option implies the options (unless overridden by subsequent options, as in the option line .BR user,exec,dev,suid ). .TP +.B nouser +Forbid an ordinary (i.e., non-root) user to mount the file system. +This is the default. +.TP .B users Allow every user to mount and unmount the file system. This option implies the options .BR noexec ", " nosuid ", and " nodev (unless overridden by subsequent options, as in the option line .BR users,exec,dev,suid ). -.TP -\fBcontext=\fP\fIcontext\fP, \fBfscontext=\fP\fIcontext\fP and \fBdefcontext=\fP\fIcontext\fP -The -.BR context= -option is useful when mounting filesystems that do not support -extended attributes, such as a floppy or hard disk formatted with VFAT, or -systems that are not normally running under SELinux, such as an ext3 formatted -disk from a non-SELinux workstation. You can also use -.BR context= -on filesystems you do not trust, such as a floppy. It also helps in compatibility with -xattr-supporting filesystems on earlier 2.4. kernel versions. Even where -xattrs are supported, you can save time not having to label every file by -assigning the entire disk one security context. - -A commonly used option for removable media is -.BR context=system_u:object_r:removable_t . - -Two other options are -.BR fscontext= -and -.BR defcontext= , -both of which are mutually exclusive of the context option. This means you -can use fscontext and defcontext with each other, but neither can be used with -context. - -The -.BR fscontext= -option works for all filesystems, regardless of their xattr -support. The fscontext option sets the overarching filesystem label to a -specific security context. This filesystem label is separate from the -individual labels on the files. It represents the entire filesystem for -certain kinds of permission checks, such as during mount or file creation. -Individual file labels are still obtained from the xattrs on the files -themselves. The context option actually sets the aggregate context that -fscontext provides, in addition to supplying the same label for individual -files. - -You can set the default security context for unlabeled files using -.BR defcontext= -option. This overrides the value set for unlabeled files in the policy and requires a -file system that supports xattr labeling. - -For more details see -.BR selinux (8) .RE .TP .B \-B, \-\-bind