Bug 448787 - eCryptfs mount on NFS fails
Summary: eCryptfs mount on NFS fails
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On: 450867
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-28 19:56 UTC by Jarod Wilson
Modified: 2008-08-01 15:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-01 15:50:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Policy patch I used on rawhide to support ecryptfs (no idea if it is right) (1.04 KB, patch)
2008-06-18 15:50 UTC, Eric Paris
no flags Details | Diff

Description Jarod Wilson 2008-05-28 19:56:42 UTC
Description of problem:
Attempting to mount an ecryptfs overlay on an nfs share fails with a somewhat
cryptic message:

Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported]. Check
your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.

System logs say:

SELinux: (dev ecryptfs, type ecryptfs) has no security xattr handler

The secret decoder ring says that the root of this error is ecryptfs wanting to
use extended attributes, but they aren't supported on nfs.


Version-Release number of selected component (if applicable):
kernel-2.6.18-92.el5
ecryptfs-utils-41-1.el5
selinux-policy-2.4.6-137.el5

How reproducible:
Mount nfs share, create directory on share, try to do an ecryptfs overlay mount
on top of it.

Additional info:
Passing these extra options: -o context=system_u:object_r:user_home_t:s0 on the
ecryptfs mount command line works around the problem.

Comment 1 Jarod Wilson 2008-06-03 19:23:25 UTC
More complete instructions for reproducer setup:

1) export /data on server
2) mount server:/data to /data on client
3) create directory /data/encrypted
4) # mount -t ecryptfs /data/encrypted /data/encrypted
   Select key type to use for newly created files: 
    1) openssl
    2) passphrase
   Selection: 2
   Passphrase: foofoo
   Verify Passphrase: foofoo 
   Select cipher: 
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
   Selection [aes]: aes
   Select key bytes: 
    1) 16
    2) 32
    3) 24
   Selection [16]: 2
   Attempting to mount with the following options:
     ecryptfs_key_bytes=32
     ecryptfs_cipher=aes
     ecryptfs_sig=92868a6a72b0202e
   Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported].
   Check your system logs; visit
<http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.


Comment 2 Eric Sandeen 2008-06-03 20:57:22 UTC
FWIW, this behavior changed between selinux-policy-2.4.6-104.el5 and
selinux-policy-2.4.6-137.el5, if that's relevant ...

the older version let us mount ok.

Comment 3 Daniel Walsh 2008-06-04 17:52:30 UTC
Are you getting any messages in /var/log/audit/audit.log?

Comment 4 Eric Paris 2008-06-04 18:01:29 UTC
dan, I assume this was the addition of an fs_use rule for ecryptfs  I've got a
patch I hoped to get to list today which should allow us to drop ecryptfs
definition from policy and things will 'just work'

But its as of yet untested

Comment 5 RHEL Program Management 2008-06-11 14:25:16 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 6 Eric Paris 2008-06-11 17:05:16 UTC
This is likely going to take a policy change (to not give a fs_use_xattr for
ecryptfs) but until we decide how to fix the kernel this is really waiting on me...

Comment 7 Eric Paris 2008-06-18 15:50:46 UTC
Created attachment 309746 [details]
Policy patch I used on rawhide to support ecryptfs (no idea if it is right)

Comment 8 Jarod Wilson 2008-06-18 18:22:29 UTC
(In reply to comment #7)
> Created an attachment (id=309746) [edit]
> Policy patch I used on rawhide to support ecryptfs (no idea if it is right)

This, plus your kernel patch in bug 450867, gets ecryptfs atop NFS doing the
right thing for me w/o any need for flags.


Comment 9 Eric Paris 2008-07-16 18:17:56 UTC
This is a policy bug which depends on the kernel bug.  Sorry dan, it needs to
stay open until I can get the bug this one depends on fixed.

Comment 10 RHEL Program Management 2008-07-16 18:18:44 UTC
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request. 


Note You need to log in before you can comment on or make changes to this bug.