On 06/06/2013 08:35 AM, Pádraig Brady wrote:
On 06/05/2013 10:23 PM, Anthony G. Basile wrote:
Hi everyone,
I'm writing about an issue that came up in Gentoo wrt coreutil's install [1]. There we
are working on moving PaX security markings [2] from our systems' ELF program headers to
an extended attribute field named "user.pax.flags". The advantage of leaving
the markings in the ELF the way we had it is that they always travel with the
executables/libraries, but the disadvantage is that it makes our ELF objects less in line
with what you get on other linux distros with all the issues that come with that.
The problem we encountered is that for some packages, we need to do the xattr
pax markings *before* running install in our package management system. For
example we need to mark python to run correctly under a kernel enforcing PaX.
But we need to mark it before running tests and therefore before install.
The problem comes because coreutil's install does not have a --preserve= option
like cp does. It does have --preserve-context for SELinux but not a more
general preserve option for extended attributes. In many ways, xattr PaX
markings follow the same design principles as SELinux security labels.
I'd like to propose adding a --preserve= to install. Comments?
Ref.
[1] https://bugs.gentoo.org/show_bug.cgi?id=470660
[2] http://en.wikipedia.org/wiki/PaX
It's a pity that install doesn't have --preserve=
rather than --preserve-context
If we added --preserve= we'd also have to
consider/doc consequences for --compare
I don't suppose you could use `cp`
rather than `install` for this use case?
cheers,
Pádraig.
Using cp instead of install would be a long shot here for our package
manager people but I can talk to them. I'm bothered by the asymmetry
between cp and install because I'd like my "make install" to be able to
have options to preserve metadata selectively, ownership, perms and xattrs.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
