* Fwd: overlayfs+selinux error: OPNOTSUPP
@ 2015-09-21 7:43 Matthew Cengia
2015-09-21 14:34 ` J. R. Okajima
0 siblings, 1 reply; 3+ messages in thread
From: Matthew Cengia @ 2015-09-21 7:43 UTC (permalink / raw)
To: linux-unionfs
[-- Attachment #1: Type: text/plain, Size: 1333 bytes --]
Hi all,
I've posted a message to LKML on Friday, and subsequently, upon
recommendation, have posted to the SELinux list, but then I stumbled
upon this list, which seems to have at least semi-relevent discussion on
SELinux/overlay interactions. I'd really appreciate if you folks could
have a look at my post (https://lkml.org/lkml/2015/9/17/888) to see if
it's anything you're able to help with; I'm running out of ideas!
----- Forwarded message from Matthew Cengia <mattcen@cyber.com.au> -----
> Date: Fri, 18 Sep 2015 12:07:43 +1000
> From: Matthew Cengia <mattcen@cyber.com.au>
> To: linux-kernel@vger.kernel.org
> Cc: Matthew Cengia <mattcen@gmail.com>, "Trent W. Buck" <twb@cyber.com.au>
> Subject: overlayfs+selinux error: OPNOTSUPP
> Message-ID: <20150918020743.GC22582@cyber.com.au>
> User-Agent: Mutt/1.5.21 (2010-09-15)
>
> Hi all,
>
> Please CC me directly when responding, as I'm not subscribed to the
> mailing list.
>
>
> Summary
> -------
> I deploy diskless Debian kiosks in prisons, for use by inmates.
> As part of the Debian 7 to 8 upgrade, I want to enable SELinux.
> My initrd uses overlayfs to combine a ro squashfs and a rw tmpfs.
>
> When I add SELinux into the mix, I get a lot of EOPNOTSUPP.
[...]
----- End forwarded message -----
--
Regards,
Matthew Cengia
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 966 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: overlayfs+selinux error: OPNOTSUPP
2015-09-21 7:43 Fwd: overlayfs+selinux error: OPNOTSUPP Matthew Cengia
@ 2015-09-21 14:34 ` J. R. Okajima
2015-09-21 23:50 ` Matthew Cengia
0 siblings, 1 reply; 3+ messages in thread
From: J. R. Okajima @ 2015-09-21 14:34 UTC (permalink / raw)
To: Matthew Cengia; +Cc: linux-unionfs
Matthew Cengia:
> I've posted a message to LKML on Friday, and subsequently, upon
> recommendation, have posted to the SELinux list, but then I stumbled
> upon this list, which seems to have at least semi-relevent discussion on
> SELinux/overlay interactions. I'd really appreciate if you folks could
> have a look at my post (https://lkml.org/lkml/2015/9/17/888) to see if
> it's anything you're able to help with; I'm running out of ideas!
:::
(from the quoted post)
----------------------------------------------------------------------
aufs doesn't support SELinux, so I had to switch to overlayfs.
So now my target is Debian 8 / Linux 4.1 / systemd / overlayfs / SELinux.
----------------------------------------------------------------------
I know aufs is not your main concern, but would you tell me why do you
think that aufs doesn't support SELinux? If I remember correctly, aufs
can live with SELinux. It might be due to your (or your distribution's)
configuration, especially CONFIG_AUFS_XATTR.
J. R. Okajima
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: overlayfs+selinux error: OPNOTSUPP
2015-09-21 14:34 ` J. R. Okajima
@ 2015-09-21 23:50 ` Matthew Cengia
0 siblings, 0 replies; 3+ messages in thread
From: Matthew Cengia @ 2015-09-21 23:50 UTC (permalink / raw)
To: J. R. Okajima; +Cc: linux-unionfs
[-- Attachment #1: Type: text/plain, Size: 1679 bytes --]
On 2015-09-21 23:34, J. R. Okajima wrote:
[...]
> (from the quoted post)
> ----------------------------------------------------------------------
> aufs doesn't support SELinux, so I had to switch to overlayfs.
> So now my target is Debian 8 / Linux 4.1 / systemd / overlayfs / SELinux.
> ----------------------------------------------------------------------
>
> I know aufs is not your main concern, but would you tell me why do you
> think that aufs doesn't support SELinux? If I remember correctly, aufs
> can live with SELinux. It might be due to your (or your distribution's)
> configuration, especially CONFIG_AUFS_XATTR.
If I recall correctly, there are two problems here. The main problem is
that we upgraded to Linux 4.1 to support newer hardware, and given that
has overlayfs in mainline, the Debian kernel maintainers, I believe,
completely removed support for aufs in the kernel, leaving us with
little choice unless we wanted to apply our own patches, which we'd very
much rather avoid.
The other problem seems to be that I can't find that CONFIG_AUFS_XATTR
option in the kernel config I'm using. It may be that the aufs version
I'm using doesn't support xattrs at all, but a newer version does. The
kernel that I just checked this on was
https://packages.debian.org/jessie/linux-image-3.16.0-4-amd64.
Additionally, I've not chased this up yet, but I've received a response
from the SELinux list indicating that the problem is related to me not
having the policy loaded yet:
http://thread.gmane.org/gmane.comp.security.selinux/23045/focus=23053. I
think this will be the next thing I investigate.
--
Regards,
Matthew Cengia
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 966 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-09-21 23:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-21 7:43 Fwd: overlayfs+selinux error: OPNOTSUPP Matthew Cengia
2015-09-21 14:34 ` J. R. Okajima
2015-09-21 23:50 ` Matthew Cengia
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.