Hi Junjiro,
Thanks for getting back to me.
> Hello Jon,
>
> "jon bird":
>> Support for XATTR/EA (including Security Labels)
>>
>> Which implies some sort is now available. The help for this reads:
>>
>> If your branch fs supports XATTR/EA and you want to make them available
>> in
>> aufs too, then enable this opsion and specify the branch attributes for
>> EA. See detail in
>> aufs.5.
>>
>> First question, can you explain any more what this statement means? I
>> can't find anything in the man pages which appears to give any more
>> detail
>> on this.
>
> As you might know, the "security label" is implemented as XATTR. And
> since aufs3.9 (Dec 2014), aufs supports it. It means you can call
> {set,get,list,remove}xattr() systemcalls, also when an internal
> copy-up/down or move-up/down happens, aufs handles all attributes as
> well as XATTR.
We have 3.16-20150928 so we should be good.
> You may want to read Documentation/filesystems/aufs/design/06xattr.txt
> which describes more. The man page descirbes about some branch
> attributes for XATTR. I named it ICEX which stands for "Ignore Copyup
> Error on XATTR."
>
I did indeed take a look at this and concluded that I didn't think I'd
need them (if at all) at this point however I have just tried using both
icexsec and then for good measure icex on the mount, neither made any
noticeable difference:
mount -t aufs -o rw,dirs=/tmp/test.rw=rw+icex:/bin=ro+icex unionfs /mnt
>
>> On our SELinux enabled system, this triggers the following in syslog:
>>
>> SELinux: initialized (dev aufs, type aufs), not configured for labeling
>
> How does selinux know whether the filesystem supports labeling or not?
> If something more than XATTR is necessary, tell me about it.
> Also you should check your kernel whether CONFIG_AUFS_XATTR is enabled.
I can confirm CONFIG_AUFS_XATTR is enabled in the build.
This is really my first look at SELinux so it's pretty new to me as well,
as I said we're just doing a feasibility study right now and looking at
potential hurdles to using it.
That said, I did start having a bit of an explore as to where the message
"not configured for labeling" was coming from. As best I can fathom it's
from within security/selinux/hooks.c and there is a block of code which is
as follows:
if (!sbsec->behavior) {
/*
* Determine the labeling behavior to use for this
* filesystem type.
*/
rc = security_fs_use(sb);
if (rc) {
printk(KERN_WARNING
"%s: security_fs_use(%s) returned %d\n",
__func__, sb->s_type->name, rc);
goto out;
}
}
The message itself is emitted based on the value of 'sbsec->behavior'
which I think should (may?) be SECURITY_FS_USE_XATTR.
'sb' in this instance is a pointer to "struct super_block" - this is how
it is derived:
https://elixir.bootlin.com/linux/v3.16.57/source/security/selinux/ss/services.c#L2347
Which doesn't mean a great deal to me I'm afraid.
I did spot in your code this line commented out in inode.h:
/* void au_xattr_init(struct super_block *sb); */
which may of course be where this code should end up to get this information?
That's really all I've been able to ascertain right now.
Rgs,
Jon.
