Hello Jon,
"jon bird":
> Support for XATTR/EA (including Security Labels)
>
> Which implies some sort is now available. The help for this reads:
>
> If your branch fs supports XATTR/EA and you want to make them available in
> aufs too, then enable this opsion and specify the branch attributes for
> EA. See detail in
> aufs.5.
>
> First question, can you explain any more what this statement means? I
> can't find anything in the man pages which appears to give any more detail
> on this.
As you might know, the "security label" is implemented as XATTR. And
since aufs3.9 (Dec 2014), aufs supports it. It means you can call
{set,get,list,remove}xattr() systemcalls, also when an internal
copy-up/down or move-up/down happens, aufs handles all attributes as
well as XATTR.
You may want to read Documentation/filesystems/aufs/design/06xattr.txt
which describes more. The man page descirbes about some branch
attributes for XATTR. I named it ICEX which stands for "Ignore Copyup
Error on XATTR."
> On our SELinux enabled system, this triggers the following in syslog:
>
> SELinux: initialized (dev aufs, type aufs), not configured for labeling
How does selinux know whether the filesystem supports labeling or not?
If something more than XATTR is necessary, tell me about it.
Also you should check your kernel whether CONFIG_AUFS_XATTR is enabled.
J. R. Okajima
