man: document that StateDirectory= trumps ProtectSystem=strict explicitly

author Lennart Poettering <lennart@poettering.net>

Mon, 22 Apr 2024 09:48:20 +0000 (11:48 +0200)

committer Lennart Poettering <lennart@poettering.net>

Mon, 22 Apr 2024 13:16:54 +0000 (15:16 +0200)
author Lennart Poettering <lennart@poettering.net>
Mon, 22 Apr 2024 09:48:20 +0000 (11:48 +0200)
committer Lennart Poettering <lennart@poettering.net>
Mon, 22 Apr 2024 13:16:54 +0000 (15:16 +0200)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index 7e49d8e267fc9c5ba6518854e473f5af4a9f0fa1..c11c7db706f1cefbafc2aea9ce4472d262c1e85d 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1396,14 +1396,16 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
          mounted read-only, except for the API file system subtrees <filename>/dev/</filename>,
          <filename>/proc/</filename> and <filename>/sys/</filename> (protect these directories using
          <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
-        <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied
-        operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is
-        recommended to enable this setting for all long-running services, unless they are involved with system updates
-        or need to modify the operating system in other ways. If this option is used,
-        <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This
-        setting is implied if <varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all
-        cases. In general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below. Defaults to
-        off.</para>
+        <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the
+        vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited
+        for the service. It is recommended to enable this setting for all long-running services, unless they
+        are involved with system updates or need to modify the operating system in other ways. If this option
+        is used, <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being
+        made read-only. Similar, <varname>StateDirectory=</varname>, <varname>LogsDirectory=</varname>, … and
+        related directory settings (see below) also exclude the specific directories from the effect of
+        <varname>ProtectSystem=</varname>. This setting is implied if <varname>DynamicUser=</varname> is
+        set. This setting cannot ensure protection in all cases. In general it has the same limitations as
+        <varname>ReadOnlyPaths=</varname>, see below. Defaults to off.</para>
  
          <xi:include href="version-info.xml" xpointer="v214"/></listitem>
        </varlistentry>
author	Lennart Poettering <lennart@poettering.net>
	Mon, 22 Apr 2024 09:48:20 +0000 (11:48 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Mon, 22 Apr 2024 13:16:54 +0000 (15:16 +0200)