Red Hat Bugzilla – Bug 448787
eCryptfs mount on NFS fails
Last modified: 2008-08-01 11:50:21 EDT
Description of problem:
Attempting to mount an ecryptfs overlay on an nfs share fails with a somewhat
Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported]. Check
your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.
System logs say:
SELinux: (dev ecryptfs, type ecryptfs) has no security xattr handler
The secret decoder ring says that the root of this error is ecryptfs wanting to
use extended attributes, but they aren't supported on nfs.
Version-Release number of selected component (if applicable):
Mount nfs share, create directory on share, try to do an ecryptfs overlay mount
on top of it.
Passing these extra options: -o context=system_u:object_r:user_home_t:s0 on the
ecryptfs mount command line works around the problem.
More complete instructions for reproducer setup:
1) export /data on server
2) mount server:/data to /data on client
3) create directory /data/encrypted
4) # mount -t ecryptfs /data/encrypted /data/encrypted
Select key type to use for newly created files:
Verify Passphrase: foofoo
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: aes
Select key bytes:
Selection : 2
Attempting to mount with the following options:
Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported].
Check your system logs; visit
FWIW, this behavior changed between selinux-policy-2.4.6-104.el5 and
selinux-policy-2.4.6-137.el5, if that's relevant ...
the older version let us mount ok.
Are you getting any messages in /var/log/audit/audit.log?
dan, I assume this was the addition of an fs_use rule for ecryptfs I've got a
patch I hoped to get to list today which should allow us to drop ecryptfs
definition from policy and things will 'just work'
But its as of yet untested
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
This is likely going to take a policy change (to not give a fs_use_xattr for
ecryptfs) but until we decide how to fix the kernel this is really waiting on me...
Created attachment 309746 [details]
Policy patch I used on rawhide to support ecryptfs (no idea if it is right)
(In reply to comment #7)
> Created an attachment (id=309746) 
> Policy patch I used on rawhide to support ecryptfs (no idea if it is right)
This, plus your kernel patch in bug 450867, gets ecryptfs atop NFS doing the
right thing for me w/o any need for flags.
This is a policy bug which depends on the kernel bug. Sorry dan, it needs to
stay open until I can get the bug this one depends on fixed.
Development Management has reviewed and declined this request. You may appeal
this decision by reopening this request.