Remove capabilities instead of setting empty caps via. --setcaps

If a file in a package does not have any capabilities rpm --setcaps should
remove capabilities of the file. Prior to this patch capabilities of the file
were set as empty.

Empty capabilities mean more than no capabilities. A file with no capabilities
can inherit capabilities, but file with empty capabilities can not.

When ever package does not have any capabilities set %|FILECAPS? is false.
If some files have capabilities, %|FILECAPS? is true but %{FILECAPS} is ''
when the file does not have capabilities and '= <capstring>' when there is some.

Reported and patch created by Markus Linnala
Commit message edited by Pavlina Moravcova Varekova and Florian Festi.

Fixes #585
Fixes #586

(cherry picked from commit b4178c979fff344a1c5142a305f274dd9aff8f45)

1 files changed, 7 insertions, 2 deletions

diff --git a/rpmpopt.in b/rpmpopt.in
index 3a571140c..67fcabfb1 100644
--- a/rpmpopt.in
+++ b/rpmpopt.in
@@ -57,8 +57,13 @@ rpm	alias --setugids -q --qf \
 	--POPTdesc=$"set user/group ownership of files in a package"
 
 rpm	alias --setcaps -q --qf \
-	"[\[ -f %{FILENAMES:shescape} -a ! -L %{FILENAMES:shescape} \] \
-	    && setcap %|FILECAPS?{%{FILECAPS:shescape}}:{''}| %{FILENAMES:shescape}\n]" \
+        "[if \[ -f %{FILENAMES:shescape} -a ! -L %{FILENAMES:shescape} \]; then\n\
+%|FILECAPS?{  if \[ -n %{FILECAPS:shescape} \]; then\n\
+    setcap %{FILECAPS:shescape} %{FILENAMES:shescape}\n\
+  el}:{  }|if \[ -n \"\$(getcap %{FILENAMES:shescape})\" \]; then\n\
+    setcap -r %{FILENAMES:shescape}\n\
+  fi\n\
+fi\n]" \
 	--pipe "sh" \
 	--POPTdesc=$"set capabilities of files in a package"