Quoting Xavier Toth (txtoth@xxxxxxxxx): > I was not putting capabilities on the script but rather on a compiled > wrapper which execs a python script in which I need to do auditing. > Will this not work? No, because of the way capabilities are re-calculated on exec(). pI' = pI pP' = (X&fP) | (pI & fI) pE' = fE ? pP' : 0 So since the interpreter has fI=fP=fE=0 and is not setuid root (which would fill in fP and/or fE to emulate privileged root), pP' and pE' will be empty after exec(). Now you could use a wrapper as follows: Have the wrapper fill pI, and then fill fI on the python interpreter. Any user who has an empty pI (which generally is all users) will execute python scripts with no privilege, but when the wrapper execs the script, pP' will be filled with (pI&fI) = full. -serge -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
