Comment 1 for bug 278290

The Fedora 9 selinux-policy-3.3.1-95.fc9.noarch package carries a patch against the upstream reference policy to make all eCryptfs mount points inherit the 'system_u:object_r:ecryptfs_t:s0' label. All files created inside of the mount point get that label, too. I don't know if other distros are doing something similar, but it would be helpful if that patch was included in the upstream reference policy.

Once the eCryptfs mount point is labeled correctly, it would be up to the policy for the backup program (or it could be done in a local policy module) to deny the backup program's access to directories with the ecryptfs_t type. The labels on the files in the lower filesystem are preserved, so there are really no changes that need to be made to eCryptfs.