From 7a9c205bbef0fba1d1dfe19aec034a3cc0d67462 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 18 Mar 2022 13:42:28 +0100
Subject: [PATCH] service: don't give CAP_DAC_OVERRIDE capability to
 NetworkManager (2)

TEST-ONLY: check what breaks in NM-CI when doing this.

This reverts commit 4d66d6c7a195 ('Revert "service: don't give
CAP_DAC_OVERRIDE capability to NetworkManager"')
---
 data/NetworkManager.service.in | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index e23b3a5282..1646679c5d 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -15,8 +15,7 @@ Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
 
-# CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 
 ProtectSystem=true
 ProtectHome=read-only