From 53a95f9ebd941c9fd2464f69ee420c4c82842eda Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Fri, 2 Sep 2016 15:58:42 +0200 Subject: [PATCH] service: give CAP_SYS_ADMIN for ibft/iscsiadm (rh#1371201) systemd on rhel-7.3 has a bug with merging CapabilityBoundingSet. https://github.com/systemd/systemd/issues/1221 Thus it is all in one line. --- data/NetworkManager.service.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in index 2692935..d354b7c 100644 --- a/data/NetworkManager.service.in +++ b/data/NetworkManager.service.in @@ -14,10 +14,10 @@ ExecStart=@sbindir@/NetworkManager --no-daemon Restart=on-failure # NM doesn't want systemd to kill its children for it KillMode=process -CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT +#CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT -# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN -#CapabilityBoundingSet=CAP_SYS_ADMIN +# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN (rh#1371201) +CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT CAP_SYS_ADMIN ProtectSystem=true ProtectHome=read-only -- 2.17.1