SELinux/Labels

File labels are the most common aspect of a SELinux system that users and administrators will need to care for. As SELinux policy decisions are based on the label of a resource, making sure that the file labels are correctly set is the most important part of maintaining SELinux systems.

Introduction
The term label is used for the SELinux context of a file or other object on a system. Whenever a document talks about a file context or file label, both actually mean the same thing. The term comes from the SELinux permissions relabelfrom and relabelto which inform the policy if a relabel operation (change of context) is allowed from a particular label (context) or towards a particular label (context).

Label values are also often abbreviated in documents. A file with  label (or context) actually needs to have an entire context assigned, but in the document itself the type part of the context is the most important one. As such, instead of talking about a file with  label (and having to explain that the SELinux user part can be different) the type   alone is used.

Labels are extended attributes
On most file systems, SELinux labels are stored as extended attributes. This is not always the case though - some file systems do not support extended attributes. In these cases, all files on the file system get assigned the same context, usually provided through the mount option of the file system.

Non-file resources
On a SELinux system, everything needs to have a context / label assigned. Even resources such as TCP and UDP ports get a label. These labels are assigned by SELinux itself through policy definitions, although users can still manipulate the assigned port types if no specific port type is used yet.