Lower Process Capabilities

[Steve Grubb]

On Friday 14 August 2009 06:05:06 pm Serge E. Hallyn wrote:
> Quoting Steve Grubb (sgrubb at redhat.com):
> > On Sunday 26 July 2009 07:32:36 pm Steve Grubb wrote:
> > A sample srpm can be found here for anyone wanting to try it out before
> > alpha is unfrozen.
> >
> > http://people.redhat.com/sgrubb/files/filesystem-2.4.24-1.fc12.src.rpm
> >
> > Any feedback would be appreciated.
>
> downloading and looking at filesystem.spec in the above rpm, I don't
> see any special treatment for boot, root, or /lib....  Is the right
> rpm at that link?

Should be. this morning I found that I forgot the /usr/lib[64] directories and
updated my local copy. I just updated the file I linked to above. 
rpm -qpl --verbose seems to show me that the changes are in place. I also
added tracker bugs to the project page so people can better tell what was
patched and how it might have been modified. In any event the patch attached to
bz is below. I only change the attributes and not the main code.

-Steve


--- filesystem.orig/filesystem.spec	2009-07-25 11:07:17.000000000 -0400
+++ filesystem/filesystem.spec	2009-08-14 13:09:19.000000000 -0400
@@ -79,15 +79,17 @@
 
 %files -f filelist
 %defattr(0755,root,root)
-%dir /
-/bin
-/boot
+%dir %attr(555,root,root) /
+%attr(555,root,root) /bin
+%attr(555,root,root) /boot
 /dev
 /etc
 /home
-/lib
+%attr(555,root,root) /lib
+%attr(555,root,root) /usr/lib
 %ifarch x86_64 ppc ppc64 sparc sparc64 s390 s390x
-/%{_lib}
+%attr(555,root,root) /%{_lib}
+%attr(555,root,root) /usr/%{_lib}
 %endif
 /media
 %dir /mnt
@@ -95,15 +97,16 @@
 %ghost %config(missingok) %verify(not size md5 mode user link rdev group mtime) /mnt/floppy
 %dir /opt
 %attr(555,root,root) /proc
-%attr(750,root,root) /root
-/sbin
+%attr(550,root,root) /root
+%attr(555,root,root) /sbin
 /selinux
 /srv
 /sys
 %attr(1777,root,root) /tmp
 %dir /usr
 /usr/[^s]*
-/usr/sbin
+%attr(555,root,root) /usr/sbin
+%attr(555,root,root) /usr/bin
 %dir /usr/share
 /usr/share/applications
 /usr/share/augeas