Skip to content
Advertisement

Making an RPM which sets POSIX files capabilities

How does one make an RPM which sets the POSIX capabilities of a file? If I try doing rpmbuild as a non-root user then I get an error when my makefile’s install hooks try to run setcap, but if I don’t run setcap how will rpmbuild copy the capabilities? There doesn’t seem to be any way to set the capability from within the RPM spec file.

Advertisement

Answer

There is a spec file macro for setting capabilities, %caps; for some reason this seems to be mainly documented in the release notes and changelogs, so it took a while for me to find it.

It’s used like this in the spec file:

%caps(cap_net_admin=pe) %{_sbindir}/foobar

To get make install to use setcap only when invoked by root, you can do something like this:

@if test `id -u` -eq 0; then 
    setcap cap_net_admin=pe $(DEST_SBINDIR)/foobar ; 
fi
User contributions licensed under: CC BY-SA
7 People found this is helpful
Advertisement