From ecbf3a6d2af0b738e683cf0840898a7dc53dd8e5 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 6 Feb 2017 23:04:41 +0100
Subject: [PATCH] Add CAP_DAC_READ_SEARCH to CapabilityBoundingSet for rsync

---
 modules/rsync/templates/systemd-rsyncd.service.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/rsync/templates/systemd-rsyncd.service.erb b/modules/rsync/templates/systemd-rsyncd.service.erb
index 2a21d6508..5ecc685a7 100644
--- a/modules/rsync/templates/systemd-rsyncd.service.erb
+++ b/modules/rsync/templates/systemd-rsyncd.service.erb
@@ -5,7 +5,7 @@ Description=rsync daemon <%= @name %>
 ExecStart=-/usr/bin/rsync --daemon --config=<%= @fname_real_rsync %>
 StandardInput=socket
 StandardError=journal
-CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID
+CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID CAP_DAC_READ_SEARCH
 PrivateDevices=true
 PrivateNetwork=true
 ProtectHome=read-only
-- 
2.20.1