From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:50240 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1756289AbcJMVQd (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
        Thu, 13 Oct 2016 17:16:33 -0400
Date: Thu, 13 Oct 2016 17:16:11 -0400
From: Vivek Goyal <vgoyal@redhat.com>
To: CAI Qian <caiqian@redhat.com>
Cc: Andreas Gruenbacher <agruenba@redhat.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Miklos Szeredi <mszeredi@redhat.com>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [bisected] Re: docker overlay support broken post v4.8
Message-ID: <20161013211611.GA7916@redhat.com>
References: <530387982.494829.1476280492275.JavaMail.zimbra@redhat.com>
 <2011297919.807400.1476391103491.JavaMail.zimbra@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2011297919.807400.1476391103491.JavaMail.zimbra@redhat.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Thu, Oct 13, 2016 at 04:38:23PM -0400, CAI Qian wrote:
> 
> 
> ----- Original Message -----
> > From: "CAI Qian" <caiqian@redhat.com>
> > Sent: Wednesday, October 12, 2016 9:54:52 AM
> > Subject: docker overlay support broken post v4.8
> > 
> > Some patches went into the 4.9 merge window broke docker overlay support even
> > with
> > selinux disabled (setenforce 0).
> > 
> > # docker run -it fedora bash
> > /usr/bin/docker-latest: Error response from daemon: error creating overlay
> > mount to
> > /var/lib/docker-latest/overlay/8ffc75b527de2863daef50a7c88a382b84953a0d40f49c40d2a9f504d9e8123c-init/merged:
> > operation not supported.
> > See '/usr/bin/docker-latest run --help'.
> > 
> > This message splits in the console.
> > [61250.857832] SELinux: (dev overlay, type overlay) has no xattr support
> Reverted the patchset of "Xattr inode operation removal" against the latest mainline
> fixed the problem, i.e., commits below in order.
> 
> fd50ecaddf8372a1d96e0daeaac0f93cf04e4d42
> 6c6ef9f26e598fb977f60935e109cd5b266c941a
> bf3ee71363c0b44acb62f375aea470262ac4210a
> 5d6c31910bc0713e37628dc0ce677dcb13c8ccf4
> f5c244383725a6de06bc62fa7c54c0ea0d942eec
> 5f6e59ae8277cef221fdbf9b12f0c4f80db59944
> d0a5b995a308347fdb1bb0412df32acd0312523b

Looking at selinux code, it seems to be coming from following code.
Looks like in case of overlay inode, we are not setting
IOP_XATTR?

Vivek

sb_finish_set_opts()
 
        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
                /* Make sure that the xattr handler exists and that no
                   error other than -ENODATA is returned by getxattr on
                   the root directory.  -ENODATA is ok, as this may be
                   the first boot of the SELinux kernel before we have
                   assigned xattr values to the filesystem. */
                if (!(root_inode->i_opflags & IOP_XATTR)) {
                        printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
                               "xattr support\n", sb->s_id, sb->s_type->name);
                        rc = -EOPNOTSUPP;
                        goto out;
                }