Currently, SELinux restricts the use of capabilities by a process based on the 
process domain's access to the capability security class.  This restriction is 
not reflected in the capabilities returned by the capget system call.  I have 
attached a small patch which would remove the "disallowed" capabilities from the 
effective set that is returned from the call.  This seems to be a good idea to 
me because it gives an accurate picture of the the capabilities that a process 
can use.  Does anyone else have an opinion on this?

-- 

Darrel