Hi, I think that /sbin/rc should be changed from a shell script, the
reason is that with gentoo hardened, security policies could be done
removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my
setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and
CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others
utmp has owner as audit user. Since root has not capabilities this
file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a
minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's
a bash shell-script, and granting it to mv, chmod etc is not a good
idea as you can suppose :). Could it be done?
