Description of problem: Attempting to mount an ecryptfs overlay on an nfs share fails with a somewhat cryptic message: Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported]. Check your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>. System logs say: SELinux: (dev ecryptfs, type ecryptfs) has no security xattr handler The secret decoder ring says that the root of this error is ecryptfs wanting to use extended attributes, but they aren't supported on nfs. Version-Release number of selected component (if applicable): kernel-2.6.18-92.el5 ecryptfs-utils-41-1.el5 selinux-policy-2.4.6-137.el5 How reproducible: Mount nfs share, create directory on share, try to do an ecryptfs overlay mount on top of it. Additional info: Passing these extra options: -o context=system_u:object_r:user_home_t:s0 on the ecryptfs mount command line works around the problem.
More complete instructions for reproducer setup: 1) export /data on server 2) mount server:/data to /data on client 3) create directory /data/encrypted 4) # mount -t ecryptfs /data/encrypted /data/encrypted Select key type to use for newly created files: 1) openssl 2) passphrase Selection: 2 Passphrase: foofoo Verify Passphrase: foofoo Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: aes Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: 2 Attempting to mount with the following options: ecryptfs_key_bytes=32 ecryptfs_cipher=aes ecryptfs_sig=92868a6a72b0202e Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported]. Check your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.
FWIW, this behavior changed between selinux-policy-2.4.6-104.el5 and selinux-policy-2.4.6-137.el5, if that's relevant ... the older version let us mount ok.
Are you getting any messages in /var/log/audit/audit.log?
dan, I assume this was the addition of an fs_use rule for ecryptfs I've got a patch I hoped to get to list today which should allow us to drop ecryptfs definition from policy and things will 'just work' But its as of yet untested
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
This is likely going to take a policy change (to not give a fs_use_xattr for ecryptfs) but until we decide how to fix the kernel this is really waiting on me...
Created attachment 309746 [details] Policy patch I used on rawhide to support ecryptfs (no idea if it is right)
(In reply to comment #7) > Created an attachment (id=309746) [edit] > Policy patch I used on rawhide to support ecryptfs (no idea if it is right) This, plus your kernel patch in bug 450867, gets ecryptfs atop NFS doing the right thing for me w/o any need for flags.
This is a policy bug which depends on the kernel bug. Sorry dan, it needs to stay open until I can get the bug this one depends on fixed.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.