service: don't give CAP_DAC_OVERRIDE capability to NetworkManager (2)th/dac-override-disable

TEST-ONLY: check what breaks in NM-CI when doing this. This reverts commit 4d66d6c7a195 ('Revert "service: don't give CAP_DAC_OVERRIDE capability to NetworkManager"')
author: Thomas Haller <thaller@redhat.com> 2022-03-18 13:42:28 +0100
committer: Thomas Haller <thaller@redhat.com> 2022-03-18 17:54:26 +0100
commit: 7a9c205bbef0fba1d1dfe19aec034a3cc0d67462 (patch)
tree: db8f45e417f45dc83d82d3a7bbdb940a4eb47d62
parent: b3192d2d46fac196c6eb91af0764f7a3b652b697 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index e23b3a5282..1646679c5d 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -15,8 +15,7 @@ Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
 
-# CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 
 ProtectSystem=true
 ProtectHome=read-only
author	Thomas Haller <thaller@redhat.com>	2022-03-18 13:42:28 +0100
committer	Thomas Haller <thaller@redhat.com>	2022-03-18 17:54:26 +0100
commit	7a9c205bbef0fba1d1dfe19aec034a3cc0d67462 (patch)
tree	db8f45e417f45dc83d82d3a7bbdb940a4eb47d62
parent	b3192d2d46fac196c6eb91af0764f7a3b652b697 (diff)