Making an RPM which sets POSIX files capabilities

2.5k views Asked by At

How does one make an RPM which sets the POSIX capabilities of a file? If I try doing rpmbuild as a non-root user then I get an error when my makefile's install hooks try to run setcap, but if I don't run setcap how will rpmbuild copy the capabilities? There doesn't seem to be any way to set the capability from within the RPM spec file.

1

There are 1 answers

2
Matthew Cline On BEST ANSWER

There is a spec file macro for setting capabilities, %caps; for some reason this seems to be mainly documented in the release notes and changelogs, so it took a while for me to find it.

It's used like this in the spec file:

%caps(cap_net_admin=pe) %{_sbindir}/foobar

To get make install to use setcap only when invoked by root, you can do something like this:

@if test `id -u` -eq 0; then \
    setcap cap_net_admin=pe $(DEST_SBINDIR)/foobar ; \
fi