Bug 448787 – eCryptfs mount on NFS fails

Bug 448787 - eCryptfs mount on NFS fails

Summary:	eCryptfs mount on NFS fails

Status:	CLOSED WONTFIX

Aliases:	None

Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	5.3
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	Reopened

Depends On:	450867
Blocks:
	Show dependency tree / graph

Reported:	2008-05-28 15:56 EDT by Jarod Wilson
Modified:	2008-08-01 11:50 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-08-01 11:50:21 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Policy patch I used on rawhide to support ecryptfs (no idea if it is right) (1.04 KB, patch) 2008-06-18 11:50 EDT, Eric Paris	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jarod Wilson 2008-05-28 15:56:42 EDT

Description of problem:
Attempting to mount an ecryptfs overlay on an nfs share fails with a somewhat
cryptic message:

Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported]. Check
your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.

System logs say:

SELinux: (dev ecryptfs, type ecryptfs) has no security xattr handler

The secret decoder ring says that the root of this error is ecryptfs wanting to
use extended attributes, but they aren't supported on nfs.


Version-Release number of selected component (if applicable):
kernel-2.6.18-92.el5
ecryptfs-utils-41-1.el5
selinux-policy-2.4.6-137.el5

How reproducible:
Mount nfs share, create directory on share, try to do an ecryptfs overlay mount
on top of it.

Additional info:
Passing these extra options: -o context=system_u:object_r:user_home_t:s0 on the
ecryptfs mount command line works around the problem.

Comment 1 Jarod Wilson 2008-06-03 15:23:25 EDT

More complete instructions for reproducer setup:

1) export /data on server
2) mount server:/data to /data on client
3) create directory /data/encrypted
4) # mount -t ecryptfs /data/encrypted /data/encrypted
   Select key type to use for newly created files: 
    1) openssl
    2) passphrase
   Selection: 2
   Passphrase: foofoo
   Verify Passphrase: foofoo 
   Select cipher: 
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
   Selection [aes]: aes
   Select key bytes: 
    1) 16
    2) 32
    3) 24
   Selection [16]: 2
   Attempting to mount with the following options:
     ecryptfs_key_bytes=32
     ecryptfs_cipher=aes
     ecryptfs_sig=92868a6a72b0202e
   Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported].
   Check your system logs; visit
<http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.

Comment 2 Eric Sandeen 2008-06-03 16:57:22 EDT

FWIW, this behavior changed between selinux-policy-2.4.6-104.el5 and
selinux-policy-2.4.6-137.el5, if that's relevant ...

the older version let us mount ok.

Comment 3 Daniel Walsh 2008-06-04 13:52:30 EDT

Are you getting any messages in /var/log/audit/audit.log?

Comment 4 Eric Paris 2008-06-04 14:01:29 EDT

dan, I assume this was the addition of an fs_use rule for ecryptfs  I've got a
patch I hoped to get to list today which should allow us to drop ecryptfs
definition from policy and things will 'just work'

But its as of yet untested

Comment 5 RHEL Product and Program Management 2008-06-11 10:25:16 EDT

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 6 Eric Paris 2008-06-11 13:05:16 EDT

This is likely going to take a policy change (to not give a fs_use_xattr for
ecryptfs) but until we decide how to fix the kernel this is really waiting on me...

Comment 7 Eric Paris 2008-06-18 11:50:46 EDT

Created attachment 309746 [details]
Policy patch I used on rawhide to support ecryptfs (no idea if it is right)

Comment 8 Jarod Wilson 2008-06-18 14:22:29 EDT

(In reply to comment #7)
> Created an attachment (id=309746) [edit]
> Policy patch I used on rawhide to support ecryptfs (no idea if it is right)

This, plus your kernel patch in bug 450867, gets ecryptfs atop NFS doing the
right thing for me w/o any need for flags.

Comment 9 Eric Paris 2008-07-16 14:17:56 EDT

This is a policy bug which depends on the kernel bug.  Sorry dan, it needs to
stay open until I can get the bug this one depends on fixed.

Comment 10 RHEL Product and Program Management 2008-07-16 14:18:44 EDT

Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.