gnuTAR support for SELinux context (beta)

gnuTAR support for SELinux context (beta)

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 678 bytes --]


 This is just a quick note to let you know that we've got beta
packages[1] for creating/extracting tar archives with SELinux context in
them (note that these packages are also based on rawhide, so will have
other changes).
 This should be able to extract any archives you've previously made with
star.

 You can create archives with just selinux context information by using
--selinux, or with full xattr support using --xattrs. In a similar vein
you can ignore any selinux context information by using --no-selinux
when you extract, or --no-xattrs to ignore all xattr information.

[1] http://people.redhat.com/jantill/

-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: gnuTAR support for SELinux context (beta)

[Stephen John Smoogen]

On 8/1/06, James Antill <jantill@redhat.com> wrote:
>
>  This is just a quick note to let you know that we've got beta
> packages[1] for creating/extracting tar archives with SELinux context in
> them (note that these packages are also based on rawhide, so will have
> other changes).
>  This should be able to extract any archives you've previously made with
> star.
>

You have made your save against Cthulhu's writing of the gnu-tar
source code. [See jwz post from 2+ years ago]. I salute you.. but will
stay on the other side of the room just in case you start sprouting
wings and mouth tentacles.


-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnuTAR support for SELinux context (beta)

[Stephen Smalley]

On Tue, 2006-08-01 at 13:27 -0400, James Antill wrote:
>  This is just a quick note to let you know that we've got beta
> packages[1] for creating/extracting tar archives with SELinux context in
> them (note that these packages are also based on rawhide, so will have
> other changes).
>  This should be able to extract any archives you've previously made with
> star.
> 
>  You can create archives with just selinux context information by using
> --selinux, or with full xattr support using --xattrs. In a similar vein
> you can ignore any selinux context information by using --no-selinux
> when you extract, or --no-xattrs to ignore all xattr information.
> 
> [1] http://people.redhat.com/jantill/

What about just saving the selinux contexts by default if they are
present on the files being archived (and likewise extracting them by
default if present in the archive)?  Otherwise, users have to take
explicit action to save and restore the file contexts and will continue
to "lose" them by default.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnuTAR support for SELinux context (beta)

[Stephen John Smoogen]

On 8/1/06, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Tue, 2006-08-01 at 13:27 -0400, James Antill wrote:
> >  This is just a quick note to let you know that we've got beta
> > packages[1] for creating/extracting tar archives with SELinux context in
> > them (note that these packages are also based on rawhide, so will have
> > other changes).
> >  This should be able to extract any archives you've previously made with
> > star.
> >
> >  You can create archives with just selinux context information by using
> > --selinux, or with full xattr support using --xattrs. In a similar vein
> > you can ignore any selinux context information by using --no-selinux
> > when you extract, or --no-xattrs to ignore all xattr information.
> >
> > [1] http://people.redhat.com/jantill/
>
> What about just saving the selinux contexts by default if they are
> present on the files being archived (and likewise extracting them by
> default if present in the archive)?  Otherwise, users have to take
> explicit action to save and restore the file contexts and will continue
> to "lose" them by default.

Doesn't the xattr support use an internally different tar format than
the normal one? [From my reading of the star pages.] Would this stop
it being readable from say Debian, Solaris etc that didn't know about
this format

-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnuTAR support for SELinux context (beta)

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 1359 bytes --]

On Tue, 2006-08-01 at 14:28 -0400, Stephen Smalley wrote:
> On Tue, 2006-08-01 at 13:27 -0400, James Antill wrote:
> >In a similar vein
> > you can ignore any selinux context information by using --no-selinux
> > when you extract, or --no-xattrs to ignore all xattr information.

> What about just saving the selinux contexts by default if they are
> present on the files being archived (and likewise extracting them by
> default if present in the archive)?  Otherwise, users have to take
> explicit action to save and restore the file contexts and will continue
> to "lose" them by default.

 Note that --xattrs is on by default for extracting, you have to use the
--no-* varients to not extract that info. from the archive. So if you
pass --selinux or --xattrs on the create command line, it just works.
 There are backwards compatibility concerns with enabling even --selinux
by default for creating archives (older versions of GNUtar will spew
warnings, and give error exit codes).

 It's also not obvious it should happen, consider files created in /tmp
and tar'd ... extracting them with tmp_t is probably not what you want.
Dito things like untar'ing an archive of html in /var/www/html (on the
other hand, untar'ing php will only ever work if it has the right
context in the archive).

-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: gnuTAR support for SELinux context (beta)

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 1136 bytes --]

On Tue, 2006-08-01 at 12:50 -0600, Stephen John Smoogen wrote:

> Doesn't the xattr support use an internally different tar format than
> the normal one? [From my reading of the star pages.] Would this stop
> it being readable from say Debian, Solaris etc that didn't know about
> this format

 No, star requires you set the archive format to exustar ... my patches
for GNUtar only require the --xattr/--selinux option(s) and to not be
using v7 format.
 Note that GNUtar can read exustar format archives, with xattr info. in
them, although I'm guessing all the details in the documentation is
still valid wrt. length limits ... and:

 tar -cvf foo.tar foo --xattr --format=ustar

...does produce archives that can be extracted from star (including
xattr info.).


 Saying that, debian/upstream/etc. GNUtar does issue warnings and a
delayed error exit code when it sees the xattr info. in an archive (but
it works just as though none of that info. were present). Which _could_
break scripts that expect a happy exit code, and might well confuse
users with the warnings.

-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]