diff options
author | Thomas Haller <thaller@redhat.com> | 2021-02-12 13:06:13 +0100 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2021-02-12 13:32:33 +0100 |
commit | 4d66d6c7a195b9d57613d5f47741b5e470b3f2b2 (patch) | |
tree | 052da506e04c560ee69c26748a0cf4ff27120a40 | |
parent | 801c41a11c2cd37dc1271c026edc0a3292cc69b8 (diff) | |
download | NetworkManager-4d66d6c7a195b9d57613d5f47741b5e470b3f2b2.tar.gz |
Revert "service: don't give CAP_DAC_OVERRIDE capability to NetworkManager"
Well, that was short. Seems we need CAP_DAC_OVERRIDE at least for the
OVS plugin. The OVS socket is
srwxr-x---. 1 openvswitch openvswitch 0 Xxx xx xx:xx /run/openvswitch/db.sock
and without CAP_DAC_OVERRIDE, NetworkManager cannot talk to OVS.
We should fix that differently by adding a nm-sudo D-Bus service that
can hand a file descriptor to NetworkManager.
This reverts commit 2e334f54b27f91f40c3aa8bdba3254e2284d30bd.
-rw-r--r-- | data/NetworkManager.service.in | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in index 382cdee821..6aaaed78ba 100644 --- a/data/NetworkManager.service.in +++ b/data/NetworkManager.service.in @@ -14,7 +14,9 @@ ExecStart=@sbindir@/NetworkManager --no-daemon Restart=on-failure # NM doesn't want systemd to kill its children for it KillMode=process -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT + +# CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket. +CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT ProtectSystem=true ProtectHome=read-only |