Bug 1857783

Summary: CapabilityBoundingSet=~CAP_RAWIO simply don't work
Product: [Fedora] Fedora Reporter: Harald Reindl <h.reindl>
Component: systemdAssignee: systemd-maint
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: lnykryn, msekleta, ssahani, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-246~rc2-1.fc33 systemd-245.7-1.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-30 18:56:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harald Reindl 2020-07-16 14:53:24 UTC 
systemd-243.8-1.fc31.x86_64

"cap_sys_rawio" is still part of CapabilityBoundingSet

[root@asterisk:~]$ systemd-analyze security iaxmodem.service | grep RAWIO
✗ CapabilityBoundingSet=~CAP_RAWIO  Service has raw I/O access  0.2

[root@asterisk:~]$ cat /etc/systemd/system/iaxmodem.service | grep CapabilityBoundingSet
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_SYSLOG CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE CAP_SYS_PTRACE CAP_SYS_TIME CAP_RAWIO

[root@asterisk:~]$ systemctl show iaxmodem.service | grep CapabilityBoundingSet | grep -i raw
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_rawio cap_sys_chroot cap_sys_pacct cap_sys_nice cap_sys_resource cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_wake_alarm cap_block_suspend cap_audit_read
Comment 1 Harald Reindl 2020-07-16 14:54:02 UTC 
https://github.com/systemd/systemd/issues/16489
Comment 2 Zbigniew Jędrzejewski-Szmek 2020-07-24 08:18:47 UTC 
Built in rawhide.
Comment 3 Fedora Update System 2020-07-27 09:52:26 UTC 
FEDORA-2020-2faf839786 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-2faf839786
Comment 4 Fedora Update System 2020-07-28 15:19:40 UTC 
FEDORA-2020-2faf839786 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-2faf839786`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-2faf839786

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2020-07-30 18:56:33 UTC 
FEDORA-2020-2faf839786 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.