Hi Anthony, On Thu, Jun 6, 2013, at 0:23, Anthony G. Basile wrote: > Hi everyone, > > I'm writing about an issue that came up in Gentoo wrt coreutil's install > [1]. There we are working on moving PaX security markings [2] from our > systems' ELF program headers to an extended attribute field named > "user.pax.flags". The advantage of leaving the markings in the ELF the > way we had it is that they always travel with the executables/libraries, > but the disadvantage is that it makes our ELF objects less in line with > what you get on other linux distros with all the issues that come with > that. > > The problem we encountered is that for some packages, we need to do the > xattr pax markings *before* running install in our package management > system. For example we need to mark python to run correctly under a > kernel enforcing PaX. But we need to mark it before running tests and > therefore before install. > > The problem comes because coreutil's install does not have a --preserve= > option like cp does. It does have --preserve-context for SELinux but > not a more general preserve option for extended attributes. In many > ways, xattr PaX markings follow the same design principles as SELinux > security labels. > > I'd like to propose adding a --preserve= to install. Comments?
I'm working on SMACK LSM support for various commands on coreutils. I work Intel/OTC and we are using SMACK in Tizen. For 'id' and 'ls' I needed to create patches to show right security context but for 'cp' I don't have to do anything because '--preserve=xattr' is perfectly adequate for us. I think, if there was same option for 'install' we would not have do anything for hat either. /Jarkko > > > Ref. > [1] https://bugs.gentoo.org/show_bug.cgi?id=470660 > [2] http://en.wikipedia.org/wiki/PaX > > -- > Anthony G. Basile, Ph. D. > Chair of Information Technology > D'Youville College > Buffalo, NY 14201 > (716) 829-8197 >
