doc: add comment to systemd's NetworkManager.service about ibft requiring CAP_SYS_ADMIN

We don't want to enable this upstream, but make the requirement
more discoverable by documenting it and put a comment to
NetworkManager.service.

https://bugzilla.redhat.com/show_bug.cgi?id=1371201

2 files changed, 7 insertions, 0 deletions

diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index 95128a68b5..a9e87310cf 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -15,6 +15,10 @@ Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+
+# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN
+#CapabilityBoundingSet=CAP_SYS_ADMIN
+
 ProtectSystem=true
 ProtectHome=read-only
 
diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
index 6685bababc..ad4b7a09b8 100644
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@@ -1058,6 +1058,9 @@ enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
             You can also explicitly specify <literal>ibft</literal> to load the
             plugin without <literal>ifcfg-rh</literal> or to change the plugin order.
           </para>
+          <para>
+            Note that ibft plugin uses /sbin/iscsiadm and thus requires CAP_SYS_ADMIN capability.
+          </para>
         </listitem>
       </varlistentry>