> "jon bird":
>> Apologies, meant to answer that question yesterday. Our system is an
>> embedded, highly cut down build of Linux and whilst we have the core
>> policy tools deployed, seinfo is part of the SETools suite which we
>> don't
>> have available. It's possible I may be able to look at deploying it if
>> we
>> think it would be useful. However from the manual pages it sounds very
>> much like it would dump out the file system information similar to the
>> following which is generated by the kernel during boot:
> :::
>> As you can see, most of them support labelling via some mechanism.
>
> Taking a glance at some selinux packages, the policy has some
> declarations/settings about filesystems which the policy is
> applied to. They maybe
>
> ----------------------------------------
> # filesystems to be used in labeling targets
> filesystems = $(shell mount | grep -v "context=" | egrep -v
> '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print
> $$3}';)
> fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
> ----------------------------------------
>
> or
>
> ----------------------------------------
> # Use xattrs for the following filesystem types.
> # Requires that a security xattr handler exist for the filesystem.
> fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
> ----------------------------------------
>
> Of cource, the version of what I read may differ from yours. So it may
> be unrelated. But we can check those setting if you can run "seinfo
> --fs_use".
>
> My current guess is
> - it is not aufs that doesn't support selinux.
> - it is selinux that doesn't support aufs.
>
> Do I make myself clear with my broken English?
>
I have literally just concluded the same thing regarding why "devtmpfs"
was misbehaving however I had started putting additional debug in the
kernel to try and figure out what it was doing. It was after doing that I
went back to look at what was in the policy files.
Given this is an embedded system, the advice online was not to use the
SELinux reference policy (which is huge). Instead I have been using
something called "Simplified Policy" which is much more readable but
unfortunately fairly old (2008) and no longer maintained, it was though
good enough as a "proof of concept". However given it's age, it didn't
have anything for "devtmpfs" in the base policy hence why that was showing
up as unlabeled as well.
I concur with your assessment that "it is selinux that doesn't support
aufs" however the base policy I believe does cover the newer "overlayfs"
so I may be able to use that. At least I know what the problem now and
where to look.
Thanks for your assistance with this, for completeness I will post back if
I have any success getting it to work in case anyone else is trying to do
something similar.
Best Regards,
Jon
