From c66cbe93756f73f6465b5cb2170044c1393e4e66 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 2 Sep 2016 13:35:00 +0200
Subject: [PATCH] doc: add comment to systemd's NetworkManager.service about
 ibft requiring CAP_SYS_ADMIN

We don't want to enable this upstream, but make the requirement
more discoverable by documenting it and put a comment to
NetworkManager.service.

https://bugzilla.redhat.com/show_bug.cgi?id=1371201
(cherry picked from commit 9aee7b493e3d6352c4864bf2fb4d7fe62626dc38)
---
 data/NetworkManager.service.in | 4 ++++
 man/NetworkManager.conf.xml    | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index 95128a68b5..a9e87310cf 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -15,6 +15,10 @@ Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+
+# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN
+#CapabilityBoundingSet=CAP_SYS_ADMIN
+
 ProtectSystem=true
 ProtectHome=read-only
 
diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
index db381f07d1..b1e38171f6 100644
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@@ -1058,6 +1058,9 @@ enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
             You can also explicitly specify <literal>ibft</literal> to load the
             plugin without <literal>ifcfg-rh</literal> or to change the plugin order.
           </para>
+          <para>
+            Note that ibft plugin uses /sbin/iscsiadm and thus requires CAP_SYS_ADMIN capability.
+          </para>
         </listitem>
       </varlistentry>