From be1042cda794ed9833a7a523f3e9b0a086144e6e Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 14 Jan 2024 19:17:49 -0600 Subject: [PATCH] nut: Do not run as privileged container The only privilege NUT needs is access to the USB device nodes. Using a device CGroup rule to allow this is significantly better than disabling all restrictions. Especially since I discovered that `--privileged` implies `--security-opt label=disable`, effectively disabling SELinux confinement of the container. --- templates/nut/nut-server.container | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/nut/nut-server.container b/templates/nut/nut-server.container index c872552..30a9866 100644 --- a/templates/nut/nut-server.container +++ b/templates/nut/nut-server.container @@ -16,8 +16,8 @@ Volume=/etc/ups:/etc/ups:ro Volume=/dev:/dev:rw ReadOnly=true VolatileTmp=true -PodmanArgs=--privileged Network=host +PodmanArgs=--device-cgroup-rule 'c 189:* rw' [Service] ExecReload=podman exec systemd-%N upsd -c reload