+++ This bug was initially created as a clone of Bug #448787 +++ Description of problem: Attempting to mount an ecryptfs overlay on an nfs share fails with a somewhat cryptic message: Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported]. Check your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>. System logs say: SELinux: (dev ecryptfs, type ecryptfs) has no security xattr handler The secret decoder ring says that the root of this error is ecryptfs wanting to use extended attributes, but they aren't supported on nfs. Version-Release number of selected component (if applicable): kernel-2.6.18-92.el5 ecryptfs-utils-41-1.el5 selinux-policy-2.4.6-137.el5 How reproducible: Mount nfs share, create directory on share, try to do an ecryptfs overlay mount on top of it. Additional info: Passing these extra options: -o context=system_u:object_r:user_home_t:s0 on the ecryptfs mount command line works around the problem. -- Additional comment from jwilson on 2008-06-03 15:23 EST -- More complete instructions for reproducer setup: 1) export /data on server 2) mount server:/data to /data on client 3) create directory /data/encrypted 4) # mount -t ecryptfs /data/encrypted /data/encrypted Select key type to use for newly created files: 1) openssl 2) passphrase Selection: 2 Passphrase: foofoo Verify Passphrase: foofoo Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: aes Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: 2 Attempting to mount with the following options: ecryptfs_key_bytes=32 ecryptfs_cipher=aes ecryptfs_sig=92868a6a72b0202e Error mounting eCryptfs; rc = [-95]; strerr = [Operation not supported]. Check your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>. -- Additional comment from esandeen on 2008-06-03 16:57 EST -- FWIW, this behavior changed between selinux-policy-2.4.6-104.el5 and selinux-policy-2.4.6-137.el5, if that's relevant ... the older version let us mount ok. -- Additional comment from dwalsh on 2008-06-04 13:52 EST -- Are you getting any messages in /var/log/audit/audit.log? -- Additional comment from eparis on 2008-06-04 14:01 EST -- dan, I assume this was the addition of an fs_use rule for ecryptfs I've got a patch I hoped to get to list today which should allow us to drop ecryptfs definition from policy and things will 'just work' But its as of yet untested -- Additional comment from pm-rhel on 2008-06-11 10:25 EST -- This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Created attachment 308962 [details] possible patch sent upstream for comment
note, breaks ntfs-3g. See bug 450867
Updating PM score.
We do not currently have plans to support eCryptfs on NFS. Nor do we have plans to support SELinux on top of eCryptfs. I am going to close this bug as wontfix