Setting up CAP

Before starting with Linux Capabilities (CAP) module administration, your should read the CAP description.

CAP administration only change min_caps and max_caps attributes of users and files. This can either be done with rsbac_user_menu and rsbac_fd_menu or with the command line tools attr_get_user, attr_set_user, attr_get_file_dir and attr_set_file_dir.

Known Linux Capabilities are (more details in man page capabilities(7)):

Name Description
CHOWN Change file owner
DAC_OVERRIDE Full DAC access to all filesystem objects
DAC_READ_SEARCH DAC read access to all filesystem objects
FOWNER Change filesystem object owner
FSETID Override some file owner based restrictions
KILL Send signal to any process
SETGID Set process group
SETUID Set process owner
SETPCAP Change capabilities
LINUX_IMMUTABLE Set immutable flag on filesystem objects
NET_BIND_SERVICE Bind to ports below 1024
NET_BROADCAST Send network broadcasts
NET_ADMIN Various network admin tasks
NET_RAW Send raw packets
IPC_LOCK Lock memory into RAM
IPC_OWNER Override IPC owner checks
SYS_MODULE Load and remove kernel modules
SYS_RAWIO Make raw IO
SYS_CHROOT Use chroot
SYS_PTRACE Trace any process
SYS_PACCT Access process accounting
SYS_ADMIN Various admin tasks
SYS_BOOT Reboot and halt
SYS_NICE Raise process priority
SYS_RESOURCE Raise resource limits
SYS_TIME Set system clock
SYS_TTY_CONFIG Config ttys
MKNOD Create device special files
LEASE Take leases in files
AUDIT_WRITE Write to kernel audit
AUDIT_CONTROL Control kernel audit
SETFCAP Set per-file capabilities (filesystem dependent)
MAC_OVERRIDE Override some LSM module, if it allows
MAC_ADMIN Admin some LSM module, if it allows


Example to add a DAC_READ_SEARCH and KILL capabilities for secoff, so that this user can browse the complete filesystem:

attr_set_user CAP secoff min_caps DAC_READ_SEARCH KILL



Table of Contents: RSBAC Handbook
Previous: JAIL
Next: PAX
Alternative: Setting up Modules