ecryptfs selinux labeling on Fedora 12

Stephen Smalley sds at tycho.nsa.gov
Mon Dec 14 15:05:27 UTC 2009


On Mon, 2009-12-14 at 11:11 +0100, Roberto Sassu wrote:
> Hi all
> 
> i'm using Fedora12 and i have configured an ecryptfs filesystem.
> I see that the default behaviour for this filesystem is to use an unique mount-
> wide context (ecryptfs_t) to label each file.
> There's a way to override this behaviour (for example by inserting a mount 
> parameter), in order to use the extended attributes on the lower filesystem or 
> patching the distributed selinux policy is the only option possible?
> 
> Thanks in advance for replies.

You'd have to modify, rebuild, and replace the base policy module to
specify fs_use_xattr for ecryptfs rather than genfscon.  There was an
attempt to automate probing for xattr support and use it if present, but
it ran into problems, see:
http://marc.info/?t=121379726100001&r=1&w=2

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list