I would note, that I've used vserver for quite some time on 2.4 (and pathces are in dev -and released in alpha-state, for 2.6 - using them on my laptop) to enable exactly this capability handling. Vserver strips ALL capabilities - even from root - but you can very easily add a capability pr. vserver - and as you are supposed to run each service in a seperate vserver (this has no notable overhead), you could easily add the mentioned capability to the vserver running oracle.
Vserver works rather simply - and does not reserve memory for each vserver etc. this makes it very lightweight. see http://www.linux-vserver.org
Perhaps the kernel coders should have a look at how the capabilities are used there? - as it works rather well.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds