How does one make an RPM which sets the POSIX capabilities of a file? If I try doing rpmbuild as a non-root user then I get an error when my makefile’s install hooks try to run setcap, but if I don’t run setcap how will rpmbuild copy the capabilities? There doesn’t seem to be any way to set the capability from within the RPM spec file.
Advertisement
Answer
There is a spec file macro for setting capabilities, %caps; for some reason this seems to be mainly documented in the release notes and changelogs, so it took a while for me to find it.
It’s used like this in the spec file:
%caps(cap_net_admin=pe) %{_sbindir}/foobar
To get make install to use setcap only when invoked by root, you can do something like this:
@if test `id -u` -eq 0; then
setcap cap_net_admin=pe $(DEST_SBINDIR)/foobar ;
fi