From 0e748d372ab6e22123e693ba2e167af5b90df133 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 16 Sep 2025 11:12:37 +0200
Subject: [PATCH] infra/image/shdefaults: Add capability SYS_ADMIN for systemd
 258

Fedora 43 and 44 switched to systemd 258 rc4. The dbus-broker service
of systemd 258 does not start any more without enabling the capability
SYS_ADMIN.

The capabilities AUDIT_WRITE, SETUID and SETGID should be enough, but
they are not sufficient to be able to start the service.

With final systemd 258 it should be tested if the capability can be
removed again.
---
 infra/image/shdefaults | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/infra/image/shdefaults b/infra/image/shdefaults
index b5768cca..b2983f4f 100644
--- a/infra/image/shdefaults
+++ b/infra/image/shdefaults
@@ -6,4 +6,6 @@
 CAP_DEFAULTS=(
     "+DAC_READ_SEARCH"  # Required for SSSD
     "+SYS_PTRACE"       # Required for debugging
+    "+SYS_ADMIN"        # Required to make dbus-brokder for systemd 258 work
+                        # Should be "+AUDIT_WRITE", "+SETUID", "+SETGID"
 )