petlab wrote:Could someone tell me about XFS and ACLs?
Do I need to do something special when creating the xfs filesystem? Can I do it afterwards?
I do know about enabling ACLs in the kern under fs and what is covered in the quickstarts under grsec and PaX. I am using PaX and grsec under kern 2.6.10-hardened-r3 and x86_64.
Thanks
Gentoo SELinux handbook
http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=1&chap=4 suggest to create xfs filesystems with option i=512 like this:
- Code: Select all
mkfs.xfs -i size=512
The reason is explained here:
http://www.crypt.gen.nz/selinux/faq.html#WWW.2 For xfs, The default Inode size is 256 bytes, which is not enough to fit the "security.selinux" XATTR name and it's data (as about 200 bytes is used for other stuff). So the XATTR won't fit in the Inode and will need a block of it's own which is 4096 bytes on i386. Having 4096 bytes per file for the SE Linux XATTR is a huge waste of disk space.
If you use the option "-isize=512" when making an XFS file system then the SE Linux XATTR will fit in the Inode. On some Inodes the extra space can be used for other things as well, so you won't necessarily have 256 - (XATTR size) bytes of disk space going unused.
[Russell Coker]
Grsecurity does not utilize xattr space compared to SELinux, so probably you can run grsecurity fine on an average xfs file system.
Regards,
Dw.
Posted: Mon Jan 31, 2005 11:15 am