summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Haller <thaller@redhat.com>2021-07-21 17:53:28 +0200
committerThomas Haller <thaller@redhat.com>2021-07-26 17:19:36 +0200
commitcc100025d0db3df3092c1d33c43e6d20957971e6 (patch)
tree8875796374fd3eb8eb75094beb2c02bd9859b931
parent438fd3aa9cb0b2d5315de12040b1562d00140e02 (diff)
downloadNetworkManager-th/nm-sudo-2.tar.gz
core: drop CAP_DAC_OVERRIDE capabilityth/nm-sudo-2
Now that we can open the unix socket for ovsdb via nm-sudo, drop the capability CAP_DAC_OVERRIDE. Note that SELinux may block passing file descriptors from nm-sudo. If it doesn't work for you, test with SELinux permissive mode and wait for an SELinux update. https://bugzilla.redhat.com/show_bug.cgi?id=1921826
Diffstat
-rw-r--r--data/NetworkManager.service.in3
1 files changed, 1 insertions, 2 deletions
diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index e23b3a5282..1646679c5d 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -15,8 +15,7 @@ Restart=on-failure
# NM doesn't want systemd to kill its children for it
KillMode=process
-# CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
ProtectSystem=true
ProtectHome=read-only
View Lorry Controller Status