[rsbac] Re: Missing CAPs are not logged

Amon Ott ao at rsbac.org
Tue Jan 25 12:55:29 CET 2005

On Dienstag 25 Januar 2005 12:35, Thomas Mueller wrote:
> Amon Ott wrote:
> >>yesterday I upgraded from kernel 2.6.9 with RSBAC 1.2.3bf7 to 
> >>2.6.10 with RSBAC 1.2.3bf11.
> >>
> >> From that moment on exims queue runner didn't work anymore - a 
> >>setgroups() call failed. I've only allowed capabilty 
> >> NET_BIND_SERVICE (00000000000000000010000000000).
> >>With NET_BIND_SERVICE and SET_GID everything works fine now.
> > 
> > There is no real difference.
> You mean in the CAP module between bf7 and bf11 ?

> Is it hard to patch the kernel so that missing CAPs are logged by 
> If the program that needs more CAPs doesn't output a useful error 
> message it is very hard to find out what's missing.

It is either simple (change the capable() function), but produces tons 
of output and is thus useless, or it requires patches to all 
functions that check capabilities, what is a real lot of work and 
almost impossible to maintain.

We can give the first option a try, though.

But, again: The normal reason why a program only works in softmode, 
but does not produce RSBAC logging, are missing CAPs in the max_caps 

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list