Revert "service: don't give CAP_DAC_OVERRIDE capability to NetworkManager"

Well, that was short. Seems we need CAP_DAC_OVERRIDE at least for the OVS plugin. The OVS socket is srwxr-x---. 1 openvswitch openvswitch 0 Xxx xx xx:xx /run/openvswitch/db.sock and without CAP_DAC_OVERRIDE, NetworkManager cannot talk to OVS. We should fix that differently by adding a nm-sudo D-Bus service that can hand a file descriptor to NetworkManager. This reverts commit 2e334f54b2.
2026-05-07 10:48:12 +02:00 · 2021-02-12 13:06:13 +01:00 · 2021-02-12 13:06:13 +01:00 · 4d66d6c7a1
commit 4d66d6c7a1
parent 801c41a11c
1 changed files with 3 additions and 1 deletions
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@ -14,7 +14,9 @@ ExecStart=@sbindir@/NetworkManager --no-daemon
 Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+
 # CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 ProtectSystem=true
 ProtectHome=read-only