service: don't give CAP_DAC_OVERRIDE capability to NetworkManager (2)

TEST-ONLY: check what breaks in NM-CI when doing this. This reverts commit 4d66d6c7a1 ('Revert "service: don't give CAP_DAC_OVERRIDE capability to NetworkManager"')
2026-02-27 02:20:31 +01:00 · 2022-03-18 13:42:28 +01:00 · 2022-03-18 13:42:28 +01:00 · 7a9c205bbe
commit 7a9c205bbe
parent b3192d2d46
1 changed files with 1 additions and 2 deletions
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@ -15,8 +15,7 @@ Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process

-# CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT

 ProtectSystem=true
 ProtectHome=read-only