Menu
How does one make an RPM which sets the POSIX capabilities of a file? If I try doing rpmbuild as a non-root user then I get an error when my makefile's install hooks try to run setcap, but if I don't run setcap how will rpmbuild copy the capabilities? There doesn't seem to be any way to set the capability from within the RPM spec file.
613
In order to build RPMs, you will need source code, which usually means a compressed tar file that also includes the SPEC file. The SPEC file typically contains instructions on how to build RPM, what files are part of package and where it should be installed.
Specifically, an RPM package consists of the cpio archive, which contains the files, and the RPM header, which contains metadata about the package. The rpm package manager uses this metadata to determine dependencies, where to install files, and other information. There are two types of RPM packages: source RPM (SRPM)
Install rpmrebuild and "extract" (actually re-create) the spec file of your rpm file or your already installed package. Looking at rpmrebuild's code and then actually testing it, it doesn't "extract" the spec file; it regenerates most of a spec file (header, log, pre/post scripts).
There is a spec file macro for setting capabilities, %caps; for some reason this seems to be mainly documented in the release notes and changelogs, so it took a while for me to find it.
It's used like this in the spec file:
%caps(cap_net_admin=pe) %{_sbindir}/foobar
To get make install to use setcap only when invoked by root, you can do something like this:
@if test `id -u` -eq 0; then \
setcap cap_net_admin=pe $(DEST_SBINDIR)/foobar ; \
fi
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With