How does one make an RPM which sets the POSIX capabilities of a file? If I try doing rpmbuild as a non-root user then I get an error when my makefile's install hooks try to run setcap, but if I don't run setcap how will rpmbuild copy the capabilities? There doesn't seem to be any way to set the capability from within the RPM spec file.
Asked
Active
Viewed 2,304 times
10
tomix86
- 1,336
- 2
- 18
- 29
Matthew Cline
- 2,312
- 1
- 19
- 36
1 Answers
12
There is a spec file macro for setting capabilities, %caps; for some reason this seems to be mainly documented in the release notes and changelogs, so it took a while for me to find it.
It's used like this in the spec file:
%caps(cap_net_admin=pe) %{_sbindir}/foobar
To get make install to use setcap only when invoked by root, you can do something like this:
@if test `id -u` -eq 0; then \
setcap cap_net_admin=pe $(DEST_SBINDIR)/foobar ; \
fi
Matthew Cline
- 2,312
- 1
- 19
- 36
-
I wasn't able to get the `%caps` directive to work. Was getting `syntax error near unexpected token \`cap_net_raw+ep'`. Found another solution using `%post` as described in this issue: https://github.com/schweikert/fping/issues/24#issue-5647305 – acw Sep 26 '16 at 14:16