RPM: libcap-2.69-3.fc40.x86_64.rpm Currently, libcap RPM doesn't include an information about capability.conf, and pam_cap.so module arguments. So users don't understand what is the meaning of "^", "!" or "@", or "keepcaps", "defer" and so on. The upstream web page has such information. https://sites.google.com/site/fullycapable/pam_cap-so So my suggestion is libcap mainainer should add these information into /usr/share/doc or man page (such as capablity.conf or pam_cap.so) As I see contents of libcap-devel RPM, these are information for developer. What I expect is an information for admin user. Reproducible: Always Steps to Reproduce: 1. Install Fedora 2. rpm -ql libcap-2.69-3.fc40.x86_64.rpm Actual Results: Find inforamtion about how to write capability.conf or pam_cap.so. Expected Results: No such document included in the RPM. man page capabilities(7) does not include an information such as what does "^", "!" or "@" mean. so this man page doesn't help. Red Hat KB (https://access.redhat.com/solutions/1264083) it include information how to configure capability.conf. But the Author only wrote an example without explain what is "^" or "keepcaps defer" in the KB.
Thank you masanari iida for the feedback. I'll be looking into this.
Patch applied upstream (will be included in libcap-2.70): https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=caab6200d2420616604c4851b2b3a3065f07b447
Iida-san, are you ok with the changes in the commit? If so, I will then work on requests into RHEL.
One comment. In KB#1264083, the KB author wrote following example. # cat /etc/security/capability.conf ^cap_net_raw,^cap_sys_nice user1 none * In capability.conf man page patch, it doesn't tell if we can use astarisk in <WHO>. If It can use, add the information.
Thank you for catching that masanari iida. I'm providing a patch for that one as well. The fix will be coming in Fedora 40.
FEDORA-2024-fbfda3f679 (libcap-2.69-8.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-fbfda3f679
FEDORA-2024-fbfda3f679 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-fbfda3f679` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-fbfda3f679 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Thanks for the additional patch (56ee609f672487cdc15b0df6004764bf46552f06).
FEDORA-2024-fbfda3f679 (libcap-2.69-8.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
Test, please ignore.