From 11d951574212fdf9c7a96f8790f7fe1c38591edc Mon Sep 17 00:00:00 2001
From: yixiangzhike <yixiangzhike007@163.com>
Date: Tue, 25 Feb 2025 21:19:58 +0800
Subject: [PATCH] Revert "Remove the NoNewPrivileges because it breaks the
 ability to open socket"

Selinux-policy has allowed init_t nnp domain transition to gssproxy_t in the commit 95d5f5e.
Now it is ok to enable NoNewPrivileges for gssproxy.service.

Signed-off-by: yixiangzhike <yixiangzhike007@163.com>
---
 systemd/gssproxy.service.in | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
index 8ed66fc07..9b8c45a2e 100644
--- a/systemd/gssproxy.service.in
+++ b/systemd/gssproxy.service.in
@@ -54,10 +54,7 @@ PrivateMounts=yes
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
-# NoNewPrivileges=yes
-# NoNewPrivileges: If it is true, it breaks the ability
-#   to open a socket under /var/lib/gssproxy when selinux enabled.
-#   So it is commented out here.
+NoNewPrivileges=yes
 CapabilityBoundingSet=CAP_DAC_OVERRIDE
 IPAddressDeny=any
 UMask=0177