So, I'm playing some with unionfs (http://www.fsl.cs.sunysb.edu/project-unionfs.html), which works fine with SELinux as long as the underlying filesystems that you're using in the union all support xattrs. Which brings us to tmpfs. The way xattrs appear to work on tmpfs is that the VFS tries the getxattr op of tmpfs (which fails, as it doesn't exist), and then does an end-run around in the selinux code to get an attribute, as long as you're only looking for the security xattr. This means that anything on tmpfs can have a xattr retrieved from userspace just fine with getxattr(2), but if you try and get it in the kernel via 'normal' means (such as the inode's getxattr method), it will fail. This breaks tmpfs as part of a unionfs branch pretty badly. Why was xattrs-on-tmpfs done this way? It seems somewhat hackish. I could theoretically patch unionfs to call the vfs method, but... ew. Bill -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
