Skip to content

[th/nm-sudo] add nm-sudo service to open unix socket for ovsdb (and drop CAP_DAC_OVERRIDE)

Thomas Haller requested to merge th/nm-sudo into main

Discussed here:

Note that SELinux prevents passing the file descriptor. If you are testing this, you need to set permissive SELinux mode.

To be clear, this patch adds large complexity only to open the ovsdb socket. But the goal here is to add a general mechanism, how we in the future can move more privileged operations out of NetworkManager and sandbox NetworkManager better.

Edited by Thomas Haller

Merge request reports