mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git
synced 2025-12-26 07:40:08 +01:00
4d66d6c7a1
Well, that was short. Seems we need CAP_DAC_OVERRIDE at least for the
OVS plugin. The OVS socket is
srwxr-x---. 1 openvswitch openvswitch 0 Xxx xx xx:xx /run/openvswitch/db.sock
and without CAP_DAC_OVERRIDE, NetworkManager cannot talk to OVS.
We should fix that differently by adding a nm-sudo D-Bus service that
can hand a file descriptor to NetworkManager.
This reverts commit 2e334f54b2.
32 lines
1.2 KiB
SYSTEMD
32 lines
1.2 KiB
SYSTEMD
[Unit]
|
|
Description=Network Manager
|
|
Documentation=man:NetworkManager(8)
|
|
Wants=network.target
|
|
After=network-pre.target dbus.service
|
|
Before=network.target @DISTRO_NETWORK_SERVICE@
|
|
|
|
[Service]
|
|
Type=dbus
|
|
BusName=org.freedesktop.NetworkManager
|
|
ExecReload=/usr/bin/busctl call org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager Reload u 0
|
|
#ExecReload=/bin/kill -HUP $MAINPID
|
|
ExecStart=@sbindir@/NetworkManager --no-daemon
|
|
Restart=on-failure
|
|
# NM doesn't want systemd to kill its children for it
|
|
KillMode=process
|
|
|
|
# CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
|
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
|
|
|
|
ProtectSystem=true
|
|
ProtectHome=read-only
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
Also=NetworkManager-dispatcher.service
|
|
|
|
# We want to enable NetworkManager-wait-online.service whenever this service
|
|
# is enabled. NetworkManager-wait-online.service has
|
|
# WantedBy=network-online.target, so enabling it only has an effect if
|
|
# network-online.target itself is enabled or pulled in by some other unit.
|
|
Also=NetworkManager-wait-online.service
|