eCryptfs

Bug #278290
Comment #7

Comment 7 for bug 278290

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2009-04-14:

Dustin - Can you give some more details on what you're looking for?

I just took a look at a f10 and RHEL 5.3 system and did a quick eCryptfs mount to see how files were labeled. To my surprise, they were handled differently.

I did an eCryptfs mount with ecryptfs_passthrough enabled. I created a file in the lower filesystem (plain.file), meaning it is a regular non-eCryptfs file, and then created a file in the upper filesystem (ecryptfs.file), so it got the full eCryptfs treatment. Here's the results:

Mount details:
---
/root/lower on /root/upper type ecryptfs (rw,ecryptfs_sig=7fa06f4b66fcde02,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough)
---

RHEL 5.3:
---
[root@idea ~]# ls -Z lower/ upper/
lower/:
-rw-r--r-- root root root:object_r:user_home_t ecryptfs.file
-rw-r--r-- root root root:object_r:user_home_t plain.file

upper/:
-rw-r--r-- root root root:object_r:user_home_t ecryptfs.file
-rw-r--r-- root root root:object_r:user_home_t plain.file
---

f10:
---
[root@bracer4 ~]# ls -Z lower/ upper/
lower/:
-rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 ecryptfs.file
-rw-r--r-- root root unconfined_u:object_r:admin_home_t:s0 plain.file

upper/:
-rw-r--r-- root root system_u:object_r:ecryptfs_t:s0 ecryptfs.file
-rw-r--r-- root root system_u:object_r:ecryptfs_t:s0 plain.file
---

Both have their advantages, but the f10 approach is probably broken (this is a policy issue). The f10 way of doing this could be used to deny your backup application access to files of type ecryptfs_t, but giving all files in an eCryptfs mount ecryptfs_t isn't right. In RHEL 5.3, the labels in the lower filesystem are preserved, making existing policy work as expected, but there's no way to differentiate the encrypted and decrypted files by using the labels.

What changes would you like to see?

When thinking about your encrypted $HOME/Private implementation, you have all of the encrypted files tucked away under the upper mount point. Would it be helpful to have policy rules saying that rsync_t should read the encrypted versions of the files? It seems like that would be difficult without giving the files in the eCryptfs mount a different label (such as what's being done in f10).

Dustin - Can you give some more details on what you're looking for?

I just took a look at a f10 and RHEL 5.3 system and did a quick eCryptfs mount to see how files were labeled.  To my surprise, they were handled differently.

I did an eCryptfs mount with ecryptfs_passthrough enabled.  I created a file in the lower filesystem (plain.file), meaning it is a regular non-eCryptfs file, and then created a file in the upper filesystem (ecryptfs.file), so it got the full eCryptfs treatment.  Here's the results:

Mount details:
---
/root/lower on /root/upper type ecryptfs (rw,ecryptfs_sig=7fa06f4b66fcde02,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough)
---

RHEL 5.3:
---
[root@idea ~]# ls -Z lower/ upper/
lower/:
-rw-r--r--  root root root:object_r:user_home_t        ecryptfs.file
-rw-r--r--  root root root:object_r:user_home_t        plain.file

upper/:
-rw-r--r--  root root root:object_r:user_home_t        ecryptfs.file
-rw-r--r--  root root root:object_r:user_home_t        plain.file
---

f10:
---
[root@bracer4 ~]# ls -Z lower/ upper/
lower/:
-rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 ecryptfs.file
-rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 plain.file

upper/:
-rw-r--r--  root root system_u:object_r:ecryptfs_t:s0  ecryptfs.file
-rw-r--r--  root root system_u:object_r:ecryptfs_t:s0  plain.file
---

Both have their advantages, but the f10 approach is probably broken (this is a policy issue).  The f10 way of doing this could be used to deny your backup application access to files of type ecryptfs_t, but giving all files in an eCryptfs mount ecryptfs_t isn't right.  In RHEL 5.3, the labels in the lower filesystem are preserved, making existing policy work as expected, but there's no way to differentiate the encrypted and decrypted files by using the labels.

What changes would you like to see?

When thinking about your encrypted $HOME/Private implementation, you have all of the encrypted files tucked away under the upper mount point.  Would it be helpful to have policy rules saying that rsync_t should read the encrypted versions of the files?  It seems like that would be difficult without giving the files in the eCryptfs mount a different label (such as what's being done in f10).