# XFS kernel options in Gentoo hardened/SELinux?

## CoderMan

Hey there, I'm in the middle of trying to set up a gentoo hardened/SELinux system. (This is definitely my first time attempting this.) I'm following the SELinux handbook, and I'm concerned about some disparity involving the kernel configuration. The [url]=http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2kernel configuration instructions[/url] in the documentation list the following settings should be set in the kernel for the XFS file system (which I use):

```
<*> XFS filesystem support (If using XFS)

[ ]   Realtime support (EXPERIMENTAL)

[ ]   Quota support

[ ]   ACL support

[*]   Security Labels
```

However, these are the actual available options in "Linux Kernel v2.6.28-hardened-r9" (through menuconfig):

```
<*> XFS filesystem support

[ ]   XFS Quota support

[ ]   XFS POSIX ACL support

[ ]   XFS Realtime subvolume support

[ ]   XFS Debugging support (EXPERIMENTAL) 

```

There is no Security Labels option. Does this mean that Security Labels for XFS are simply required now? Or does it mean that XFS is no longer supported for SELinux? I remember reading that there were some issues with XFS/SELinux under the .15 and .16 kernels, but I thought those issues were dealt with.

I would appreciate any clarification here, as I am already a total SELinux n00b and don't want to have this messing things up for me down the road. Here is the emerge info, though keep in mind I am still in the LiveCD (after chrooting):

```
<BATMAN> livecd / # emerge --info

Portage 2.1.7.17 (selinux/2007.0/amd64/hardened, gcc-4.3.4, glibc-2.10.1-r1, 2.6.31-gentoo-r10 x86_64)

=================================================================

System uname: Linux-2.6.31-gentoo-r10-x86_64-Intel-R-_Core-TM-_i7_CPU_860_@_2.80GHz-with-gentoo-1.12.13

Timestamp of tree: Thu, 25 Mar 2010 23:15:02 +0000

app-shells/bash:     4.0_p35

dev-lang/python:     2.6.4-r1

sys-apps/baselayout: 1.12.13

sys-apps/sandbox:    1.6-r2

sys-devel/autoconf:  2.63-r1

sys-devel/automake:  1.10.3

sys-devel/binutils:  2.18-r3

sys-devel/gcc:       4.3.4

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   2.2.6b

virtual/os-headers:  2.6.30-r1

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=core2 -msse4 -mcx16 -msahf -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=core2 -msse4 -mcx16 -msahf -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests distlocks fixpackages loadpolicy news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unmerge-logs unmerge-orphans userfetch"

GENTOO_MIRRORS="ftp://gentoo.arcticnetwork.ca/pub/gentoo/ "

LDFLAGS="-Wl,-O1"

MAKEOPTS="-j7"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"

USE="amd64 bash-completion berkdb cli cracklib crypt cxx dri emacs fortran hardened iconv ipv6 mmx modules mudflap ncurses nls openmp pam pcre perl pic pppd python readline reflection selinux session spl sse sse2 ssl tcpd xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" 

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
```

----------

## CoderMan

I think I found some of the options I was looking for nested away. It seems that the SELinux documentation is about four years old. Everybody on IRC is telling me I should use grsecurity, and I'm thinking about going that route. So I guess this thread is "Solved".

----------

