I have recently made a restricted-capability system, using
medusa DS9. It has some properties of a TCSEC B3 level system,
and IT WORKS!
There were some little problem though, one is Bug#60303:
The start-stop script of postgresql assumed DAC_SEARCH capability.
Oliver has added the needed changes to his package, and asked
me to raise the capability issue here.
Let's define some mechanism which helps the bulders of
trusted systems to
-identify which capabilities the packages need
and exactly where and for which functionality
those capabilities are needed
-minimize the number of needed capabilities
The first point could be achieved by some documentation methods,
for example if a package have /usr/share/doc/<package>/security,
than the file should list which binary needs which capability and
The second point is more difficult: we can say in debian policy that
our goal is to minimize the needed capabilities, and if there is
an easy way to make a capability unneded, the maintainer should
GNU GPL: csak tiszta forrásból