[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding a --preserve= option to install
|
From: |
Pádraig Brady |
|
Subject: |
Re: Adding a --preserve= option to install |
|
Date: |
Thu, 06 Jun 2013 13:35:41 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 |
On 06/05/2013 10:23 PM, Anthony G. Basile wrote:
> Hi everyone,
>
> I'm writing about an issue that came up in Gentoo wrt coreutil's install [1].
> There we are working on moving PaX security markings [2] from our systems'
> ELF program headers to an extended attribute field named "user.pax.flags".
> The advantage of leaving the markings in the ELF the way we had it is that
> they always travel with the executables/libraries, but the disadvantage is
> that it makes our ELF objects less in line with what you get on other linux
> distros with all the issues that come with that.
>
> The problem we encountered is that for some packages, we need to do the xattr
> pax markings *before* running install in our package management system. For
> example we need to mark python to run correctly under a kernel enforcing PaX.
> But we need to mark it before running tests and therefore before install.
>
> The problem comes because coreutil's install does not have a --preserve=
> option like cp does. It does have --preserve-context for SELinux but not a
> more general preserve option for extended attributes. In many ways, xattr
> PaX markings follow the same design principles as SELinux security labels.
>
> I'd like to propose adding a --preserve= to install. Comments?
>
>
> Ref.
> [1] https://bugs.gentoo.org/show_bug.cgi?id=470660
> [2] http://en.wikipedia.org/wiki/PaX
>
It's a pity that install doesn't have --preserve=
rather than --preserve-context
If we added --preserve= we'd also have to
consider/doc consequences for --compare
I don't suppose you could use `cp`
rather than `install` for this use case?
cheers,
Pádraig.