Ok. Here's a temporary patch that makes everything except looking at
the Smack label work properly. I haven't signed it off because I
don't think it's ready for prime-time, but if the problem is holding
anyone up it will allow them to proceed.

Casey Schaufler

---
 security/smack/smack_lsm.c |   23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2016,6 +2016,17 @@ static void smack_d_instantiate(struct d
 
 	sbp = inode->i_sb;
 	sbsp = sbp->s_security;
+
+	/*
+	 * If the superblock isn't initialized someone
+	 * has cobbled together a filesystem that never
+	 * got mounted.
+	 */
+	if (sbsp->smk_initialized == 0) {
+		isp->smk_inode = smack_known_star.smk_known;
+		isp->smk_flags |= SMK_INODE_INSTANT;
+		goto unlockandout;
+	}
 	/*
 	 * We're going to use the superblock default label
 	 * if there's no label on the file.
@@ -2055,6 +2066,18 @@ static void smack_d_instantiate(struct d
 		 */
 		final = smack_known_star.smk_known;
 		break;
+	case 0:
+	case UNIONFS_SUPER_MAGIC:
+		/*
+		 * It seems that unionfs uses a fake superblock
+		 * and doesn't set the magic number therein.
+		 * Assume that an unset magic number is unionfs.
+		 *
+		 * Let the real filesystem inodes provide the
+		 * Smack label on access checks.
+		 */
+		final = smack_known_star.smk_known;
+		break;
 	case DEVPTS_SUPER_MAGIC:
 		/*
 		 * devpts seems content with the label of the task.