examples: improve chronyd service

author Miroslav Lichvar <mlichvar@redhat.com>

Mon, 4 Oct 2021 08:54:40 +0000 (10:54 +0200)

committer Miroslav Lichvar <mlichvar@redhat.com>

Mon, 4 Oct 2021 08:54:40 +0000 (10:54 +0200)
author Miroslav Lichvar <mlichvar@redhat.com>
Mon, 4 Oct 2021 08:54:40 +0000 (10:54 +0200)
committer Miroslav Lichvar <mlichvar@redhat.com>
Mon, 4 Oct 2021 08:54:40 +0000 (10:54 +0200)
diff --git a/examples/chronyd.service b/examples/chronyd.service

index 2cac602675a4b899ad27cd7a35be0d09d7c9521e..4fb930efd96a5fe8589d2b7d9104231ff7dd5c03 100644 (file)
--- a/examples/chronyd.service
+++ b/examples/chronyd.service
@@ -33,7 +33,7 @@ ProtectKernelModules=yes
  ProtectKernelTunables=yes
  ProtectProc=invisible
  ProtectSystem=strict
-ReadWritePaths=/run /var/lib/chrony
+ReadWritePaths=/run /var/lib/chrony -/var/log
  RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
  RestrictNamespaces=yes
  RestrictSUIDSGID=yes
@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot
  
  # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
  NoNewPrivileges=no
-ReadWritePaths=/var/spool
+ReadWritePaths=-/var/spool
  RestrictAddressFamilies=AF_NETLINK
  
  [Install]
author	Miroslav Lichvar <mlichvar@redhat.com>
	Mon, 4 Oct 2021 08:54:40 +0000 (10:54 +0200)
committer	Miroslav Lichvar <mlichvar@redhat.com>
	Mon, 4 Oct 2021 08:54:40 +0000 (10:54 +0200)