[th/nm-sudo] add nm-sudo service to open unix socket for ovsdb (and drop CAP_DAC_OVERRIDE) (!938) · Merge requests · NetworkManager / NetworkManager

Thomas Haller requested to merge th/nm-sudo into main Jul 21, 2021

Discussed here: https://bugzilla.redhat.com/show_bug.cgi?id=1921826

Note that SELinux prevents passing the file descriptor. If you are testing this, you need to set permissive SELinux mode.

To be clear, this patch adds large complexity only to open the ovsdb socket. But the goal here is to add a general mechanism, how we in the future can move more privileged operations out of NetworkManager and sandbox NetworkManager better.

Edited Jul 23, 2021 by Thomas Haller

[th/nm-sudo] add nm-sudo service to open unix socket for ovsdb (and drop CAP_DAC_OVERRIDE)

Merge request reports