OK, so I've been doing a little web-surfing lately to find out about capabilities-based security (in general - not in Linux specifically) and it seems to distill down to this: a capability is a bundle of an object and some actions that can be performed (with|on) that object. If you don't have the capability to do y to x, you can't - in fact, you can't even describe the operation involved.
Which seems quite tidy, though in all honesty pretty obvious really. So I'm left thinking there must be more to it than this. Where do you get the capability from in the first place? Or is that Policy (a.k.a "we haven't really thought about that yet")