From 45a2ae7561bdfb59c75788f32290f384d8d159d8 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 2 Sep 2016 13:35:00 +0200
Subject: [PATCH 1/2] doc: add comment to systemd's NetworkManager.service
about ibft requiring CAP_SYS_ADMIN
We don't want to enable this upstream, but make the requirement
more discoverable by documenting it and put a comment to
NetworkManager.service.
https://bugzilla.redhat.com/show_bug.cgi?id=1371201
(cherry picked from commit 9aee7b493e3d6352c4864bf2fb4d7fe62626dc38)
(cherry picked from commit c66cbe93756f73f6465b5cb2170044c1393e4e66)
---
data/NetworkManager.service.in | 4 ++++
man/NetworkManager.conf.xml | 3 +++
2 files changed, 7 insertions(+)
diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index 95128a6..a9e8731 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -15,6 +15,10 @@ Restart=on-failure
# NM doesn't want systemd to kill its children for it
KillMode=process
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+
+# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN
+#CapabilityBoundingSet=CAP_SYS_ADMIN
+
ProtectSystem=true
ProtectHome=read-only
diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
index db381f0..b1e3817 100644
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@@ -1058,6 +1058,9 @@ enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
You can also explicitly specify <literal>ibft</literal> to load the
plugin without <literal>ifcfg-rh</literal> or to change the plugin order.
</para>
+ <para>
+ Note that ibft plugin uses /sbin/iscsiadm and thus requires CAP_SYS_ADMIN capability.
+ </para>
</listitem>
</varlistentry>
--
2.7.4
From 93ebdb5048048c3a1b96d88d7c78c450477b40e5 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 2 Sep 2016 15:58:42 +0200
Subject: [PATCH 2/2] service: give CAP_SYS_ADMIN for ibft/iscsiadm
(rh#1371201)
systemd on rhel-7.3 has a bug with merging CapabilityBoundingSet.
https://github.com/systemd/systemd/issues/1221
Thus it is all in one line.
---
data/NetworkManager.service.in | 6 +++---
man/NetworkManager.conf.5 | 2 ++
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index a9e8731..5f168ab 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -14,10 +14,10 @@ ExecStart=@sbindir@/NetworkManager --no-daemon
Restart=on-failure
# NM doesn't want systemd to kill its children for it
KillMode=process
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+#CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
-# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN
-#CapabilityBoundingSet=CAP_SYS_ADMIN
+# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN (rh#1371201)
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT CAP_SYS_ADMIN
ProtectSystem=true
ProtectHome=read-only
diff --git a/man/NetworkManager.conf.5 b/man/NetworkManager.conf.5
index 9b57053..692e5c9 100644
--- a/man/NetworkManager.conf.5
+++ b/man/NetworkManager.conf.5
@@ -920,6 +920,8 @@ ibft
to load the plugin without
ifcfg\-rh
or to change the plugin order\&.
+.sp
+Note that ibft plugin uses /sbin/iscsiadm and thus requires CAP_SYS_ADMIN capability\&.
.RE
.SH "APPENDIX"
.SS "Device List Format"
--
2.7.4