On 06/05/2013 10:23 PM, Anthony G. Basile wrote: > Hi everyone, > > I'm writing about an issue that came up in Gentoo wrt coreutil's install [1]. > There we are working on moving PaX security markings [2] from our systems' > ELF program headers to an extended attribute field named "user.pax.flags". > The advantage of leaving the markings in the ELF the way we had it is that > they always travel with the executables/libraries, but the disadvantage is > that it makes our ELF objects less in line with what you get on other linux > distros with all the issues that come with that. > > The problem we encountered is that for some packages, we need to do the xattr > pax markings *before* running install in our package management system. For > example we need to mark python to run correctly under a kernel enforcing PaX. > But we need to mark it before running tests and therefore before install. > > The problem comes because coreutil's install does not have a --preserve= > option like cp does. It does have --preserve-context for SELinux but not a > more general preserve option for extended attributes. In many ways, xattr > PaX markings follow the same design principles as SELinux security labels. > > I'd like to propose adding a --preserve= to install. Comments? > > > Ref. > [1] https://bugs.gentoo.org/show_bug.cgi?id=470660 > [2] http://en.wikipedia.org/wiki/PaX >
It's a pity that install doesn't have --preserve= rather than --preserve-context If we added --preserve= we'd also have to consider/doc consequences for --compare I don't suppose you could use `cp` rather than `install` for this use case? cheers, Pádraig.
