===== Setting up CAP =====

Before starting with Linux Capabilities (CAP) module administration, your should read the [[documentation:rsbac_handbook:security_models:cap|CAP description]].

CAP administration only change min_caps and max_caps attributes of users and files. This can either be done with rsbac_user_menu and rsbac_fd_menu or with the command line tools attr_get_user, attr_set_user, attr_get_file_dir and attr_set_file_dir.

Known Linux Capabilities are (more details in man page capabilities(7)):

^ Name ^ Description ^
|CHOWN | Change file owner |
|DAC_OVERRIDE | Full DAC access to all filesystem objects |
|DAC_READ_SEARCH | DAC read access to all filesystem objects|
|FOWNER | Change filesystem object owner |
|FSETID | Override some file owner based restrictions |
|KILL | Send signal to any process |
|SETGID | Set process group |
|SETUID | Set process owner |
|SETPCAP | Change capabilities |
|LINUX_IMMUTABLE | Set immutable flag on filesystem objects |
|NET_BIND_SERVICE | Bind to ports below 1024 |
|NET_BROADCAST | Send network broadcasts |
|NET_ADMIN | Various network admin tasks |
|NET_RAW | Send raw packets |
|IPC_LOCK | Lock memory into RAM |
|IPC_OWNER | Override IPC owner checks |
|SYS_MODULE | Load and remove kernel modules |
|SYS_RAWIO | Make raw IO |
|SYS_CHROOT | Use chroot |
|SYS_PTRACE | Trace any process |
|SYS_PACCT | Access process accounting |
|SYS_ADMIN | Various admin tasks |
|SYS_BOOT | Reboot and halt |
|SYS_NICE | Raise process priority |
|SYS_RESOURCE | Raise resource limits |
|SYS_TIME | Set system clock |
|SYS_TTY_CONFIG | Config ttys |
|MKNOD | Create device special files |
|LEASE | Take leases in files |
|AUDIT_WRITE | Write to kernel audit |
|AUDIT_CONTROL | Control kernel audit |
|SETFCAP | Set per-file capabilities (filesystem dependent) |
|MAC_OVERRIDE | Override some LSM module, if it allows |
|MAC_ADMIN | Admin some LSM module, if it allows |

\\
Example to add a DAC_READ_SEARCH and KILL capabilities for secoff, so that this user can browse the complete filesystem:

  attr_set_user CAP secoff min_caps DAC_READ_SEARCH KILL

\\ 
----
**Table of Contents:** [[documentation:rsbac_handbook|RSBAC Handbook]]\\
**Previous:** [[.:jail|JAIL]]\\ 
**Next:** [[.:pax|PAX]]\\ 
**Alternative:** [[documentation:rsbac_handbook:configuration_basics:setting_up_modules|Setting up Modules]]