Bug 450867 - eCryptfs mount on NFS fails
eCryptfs mount on NFS fails
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Eric Paris
Red Hat Kernel QE team
:
Depends On:
Blocks: 448787
  Show dependency treegraph
 
Reported: 2008-06-11 10:33 EDT by Eric Paris
Modified: 2013-03-19 11:51 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-19 11:51:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
possible patch sent upstream for comment (3.66 KB, patch)
2008-06-11 13:02 EDT, Eric Paris
no flags Details | Diff

  None (edit)
Description Eric Paris 2008-06-11 10:33:05 EDT
+++ This bug was initially created as a clone of Bug #448787 +++

Description of problem:
Attempting to mount an ecryptfs overlay on an nfs share fails with a somewhat
cryptic message:

Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported]. Check
your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.

System logs say:

SELinux: (dev ecryptfs, type ecryptfs) has no security xattr handler

The secret decoder ring says that the root of this error is ecryptfs wanting to
use extended attributes, but they aren't supported on nfs.


Version-Release number of selected component (if applicable):
kernel-2.6.18-92.el5
ecryptfs-utils-41-1.el5
selinux-policy-2.4.6-137.el5

How reproducible:
Mount nfs share, create directory on share, try to do an ecryptfs overlay mount
on top of it.

Additional info:
Passing these extra options: -o context=system_u:object_r:user_home_t:s0 on the
ecryptfs mount command line works around the problem.

-- Additional comment from jwilson@redhat.com on 2008-06-03 15:23 EST --
More complete instructions for reproducer setup:

1) export /data on server
2) mount server:/data to /data on client
3) create directory /data/encrypted
4) # mount -t ecryptfs /data/encrypted /data/encrypted
   Select key type to use for newly created files: 
    1) openssl
    2) passphrase
   Selection: 2
   Passphrase: foofoo
   Verify Passphrase: foofoo 
   Select cipher: 
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
   Selection [aes]: aes
   Select key bytes: 
    1) 16
    2) 32
    3) 24
   Selection [16]: 2
   Attempting to mount with the following options:
     ecryptfs_key_bytes=32
     ecryptfs_cipher=aes
     ecryptfs_sig=92868a6a72b0202e
   Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported].
   Check your system logs; visit
<http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.


-- Additional comment from esandeen@redhat.com on 2008-06-03 16:57 EST --
FWIW, this behavior changed between selinux-policy-2.4.6-104.el5 and
selinux-policy-2.4.6-137.el5, if that's relevant ...

the older version let us mount ok.

-- Additional comment from dwalsh@redhat.com on 2008-06-04 13:52 EST --
Are you getting any messages in /var/log/audit/audit.log?

-- Additional comment from eparis@redhat.com on 2008-06-04 14:01 EST --
dan, I assume this was the addition of an fs_use rule for ecryptfs  I've got a
patch I hoped to get to list today which should allow us to drop ecryptfs
definition from policy and things will 'just work'

But its as of yet untested

-- Additional comment from pm-rhel@redhat.com on 2008-06-11 10:25 EST --
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 1 RHEL Product and Program Management 2008-06-11 12:07:02 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Eric Paris 2008-06-11 13:02:26 EDT
Created attachment 308962 [details]
possible patch sent upstream for comment
Comment 4 Dave Jones 2008-06-30 16:21:28 EDT
note, breaks ntfs-3g.  See bug 450867
Comment 6 RHEL Product and Program Management 2009-02-16 10:37:27 EST
Updating PM score.
Comment 8 Eric Paris 2013-03-19 11:51:19 EDT
We do not currently have plans to support eCryptfs on NFS.  Nor do we have plans to support SELinux on top of eCryptfs.  I am going to close this bug as wontfix

Note You need to log in before you can comment on or make changes to this bug.