cdlscpmv
commented
7 years ago Well, you have to either drop CAP_MAC_ADMIN and CAP_MAC_OVERRIDE capabilities, or write a list of labels for which these capabilities will be effective in /sys/fs/smackfs/onlycap. If the label of a root process is not in the onlycap file, the process will be restricted.
Hi. I am just starting to learn smack. Until now, bsaed on my understanding, root user still can do every thing, even the system already practiced smack. This is different with SELinux. Is there any way to limit/drop the capabilities from root user?