Well, a capability-based system would have no trouble keeping anything in sync with the capability masks on files, because there *is* nothing to keep in sync. The relabelling operation consists (very roughly) of tracking down the xattrs on labelled files and bringing them in sync with what's defined in the SELinux config files: no analogous operation exists if xattrs are the only storage representation, just as you don't need to wait for ages while permissions are synched with anything when you boot :)
(The interaction of all this with Samba and NFS-without-xattrs is interesting: the standard capability inheritance model is totally broken in that situation. Mind you it's quite rare to run binaries over NFS these days.)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds