LSS: Kernel security subsystem reports

Oh, and to clarify, the reason why the capability situation is so ironic is that the SELinux policy developers claim the policies are developed with careful code inspection, yada yada, and yet the cases of granting CAP_DAC_OVERRIDE is something that can only happen in a vanilla kernel (not grsec kernel) using audit2allow to generate policies ;) Whoops!

-Brad