Re: Adding a --preserve= option to install

[Jarkko Sakkinen]

Hi Anthony,

On Thu, Jun 6, 2013, at 0:23, Anthony G. Basile wrote:
> Hi everyone,
> 
> I'm writing about an issue that came up in Gentoo wrt coreutil's install 
> [1].  There we are working on moving PaX security markings [2] from our 
> systems' ELF program headers to an extended attribute field named 
> "user.pax.flags".  The advantage of leaving the markings in the ELF the 
> way we had it is that they always travel with the executables/libraries, 
> but the disadvantage is that it makes our ELF objects less in line with 
> what you get on other linux distros with all the issues that come with
> that.
> 
> The problem we encountered is that for some packages, we need to do the 
> xattr pax markings *before* running install in our package management 
> system.  For example we need to mark python to run correctly under a 
> kernel enforcing PaX.  But we need to mark it before running tests and 
> therefore before install.
> 
> The problem comes because coreutil's install does not have a --preserve= 
> option like cp does.  It does have --preserve-context for SELinux but 
> not a more general preserve option for extended attributes.  In many 
> ways, xattr PaX markings follow the same design principles as SELinux 
> security labels.
> 
> I'd like to propose adding a --preserve= to install.  Comments?

I'm working on SMACK LSM support for various commands on coreutils.
I work Intel/OTC and we are using SMACK in Tizen.

For 'id' and 'ls' I needed to create patches to show right security
context but for 'cp' I don't have to do anything because
'--preserve=xattr' is perfectly adequate for us. I think, if there
was same option for 'install' we would not have do anything for
hat either.

/Jarkko

> 
> 
> Ref.
> [1] https://bugs.gentoo.org/show_bug.cgi?id=470660
> [2] http://en.wikipedia.org/wiki/PaX
> 
> -- 
> Anthony G. Basile, Ph. D.
> Chair of Information Technology
> D'Youville College
> Buffalo, NY 14201
> (716) 829-8197
>