Hi, I'm currently looking at the feasibility of introducing one of the Linux security models to an existing system which makes use of aufs in a couple of places and I wanted to understand what sort of support there is in place for security labels. Currently I'm looking at SELinux but it most likely will be one of the other (less complex ones).
We were initially using a 3.2 kernel and my initial investigation suggested that aufs didn't support security labelling however we have another flavour of the system which has a 3.16 kernel and I see by this point there is an addition kernel option: Support for XATTR/EA (including Security Labels) Which implies some sort is now available. The help for this reads: If your branch fs supports XATTR/EA and you want to make them available in aufs too, then enable this opsion and specify the branch attributes for EA. See detail in aufs.5. First question, can you explain any more what this statement means? I can't find anything in the man pages which appears to give any more detail on this. Here is how we mount the aufs file systems: mount -t aufs -o rw,dirs=/tmp/etc.rw=rw:/etc=ro unionfs /etc mount -t aufs -o rw,dirs=/tmp/var.rw=rw:/var=ro unionfs /var On our SELinux enabled system, this triggers the following in syslog: SELinux: initialized (dev aufs, type aufs), not configured for labeling Which I'm thinking may be correct because aufs itself won't support labeling my expectation is that it will inherit this information from the underling branches that do. However this does not appear to be the case, if I take a simpler example where we can see the attributes: mkdir /tmp/test.rw mount -t aufs -o rw,dirs=/tmp/test.rw=rw:/bin=ro unionfs /mnt Now do a directory first of /bin: ls -Z /bin -rwxr-xr-x system_u:object_r:bin_t ash -rwxr-xr-x system_u:object_r:bin_t base64 -rwxr-xr-x system_u:object_r:bin_t cat -rwxr-xr-x system_u:object_r:bin_t chattr -rwxr-xr-x system_u:object_r:bin_t chgrp -rwxr-xr-x system_u:object_r:bin_t chmod ... Now the aufs mount: ls -Z /mnt -rwxr-xr-x system_u:object_r:unlabeled_t ash -rwxr-xr-x system_u:object_r:unlabeled_t base64 -rwxr-xr-x system_u:object_r:unlabeled_t cat -rwxr-xr-x system_u:object_r:unlabeled_t chattr -rwxr-xr-x system_u:object_r:unlabeled_t chgrp -rwxr-xr-x system_u:object_r:unlabeled_t chmod -rwxr-xr-x system_u:object_r:unlabeled_t chown -rwxr-xr-x system_u:object_r:unlabeled_t cp It doesn't look like the labels are being propagated up properly here. My question then is should this work as I'm expecting? Are there are additional mount options I need to specify here? Or given I couldn't find anything useful doing searches on line I suspect this may be untested territory and I could just be banging my head against a wall and it may just not work. Thanks, Jon.
