I would definitely support this, but it has to remain flexible. We do not always want to copy all security.* attributes, sometimes this isn't even allowed.
For instance, security.ima and security.evm are managed primarily by the IMA/EVM subsystem in the Linux kernel. The SELinux attributes might not be allowed to be changed. Yet some other attributes might be better to install with them, like the POSIX ACLs. Wkr, Sven Vermeulen "Anthony G. Basile" <[email protected]> wrote: >Hi everyone, > >I'm writing about an issue that came up in Gentoo wrt coreutil's >install >[1]. There we are working on moving PaX security markings [2] from our > >systems' ELF program headers to an extended attribute field named >"user.pax.flags". The advantage of leaving the markings in the ELF the > >way we had it is that they always travel with the >executables/libraries, >but the disadvantage is that it makes our ELF objects less in line with > >what you get on other linux distros with all the issues that come with >that. > >The problem we encountered is that for some packages, we need to do the > >xattr pax markings *before* running install in our package management >system. For example we need to mark python to run correctly under a >kernel enforcing PaX. But we need to mark it before running tests and >therefore before install. > >The problem comes because coreutil's install does not have a >--preserve= >option like cp does. It does have --preserve-context for SELinux but >not a more general preserve option for extended attributes. In many >ways, xattr PaX markings follow the same design principles as SELinux >security labels. > >I'd like to propose adding a --preserve= to install. Comments? > > >Ref. >[1] https://bugs.gentoo.org/show_bug.cgi?id=470660 >[2] http://en.wikipedia.org/wiki/PaX > >-- >Anthony G. Basile, Ph. D. >Chair of Information Technology >D'Youville College >Buffalo, NY 14201 >(716) 829-8197 -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
