From 53a95f9ebd941c9fd2464f69ee420c4c82842eda Mon Sep 17 00:00:00 2001

From: Thomas Haller <thaller@redhat.com>

Date: Fri, 2 Sep 2016 15:58:42 +0200

Subject: [PATCH] service: give CAP_SYS_ADMIN for ibft/iscsiadm (rh#1371201)

systemd on rhel-7.3 has a bug with merging CapabilityBoundingSet.

https://github.com/systemd/systemd/issues/1221

Thus it is all in one line.

---

 data/NetworkManager.service.in | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in

index 2692935..d354b7c 100644

--- a/data/NetworkManager.service.in

+++ b/data/NetworkManager.service.in

@@ -14,10 +14,10 @@ ExecStart=@sbindir@/NetworkManager --no-daemon

 Restart=on-failure

 # NM doesn't want systemd to kill its children for it

 KillMode=process

-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT

+#CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT

-# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN

-#CapabilityBoundingSet=CAP_SYS_ADMIN

+# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN (rh#1371201)

+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT CAP_SYS_ADMIN

 ProtectSystem=true

 ProtectHome=read-only

-- 

2.17.1