From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 4 Oct 2021 08:54:40 +0000 (+0200)
Subject: examples: improve chronyd service
X-Git-Tag: 4.2-pre1~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76a905d652cafccfac1023f74d12ffa7facc4832;p=thirdparty%2Fchrony.git

examples: improve chronyd service

Allow writing logfiles (enabled by logdir or -l option) to /var/log and
don't require /var/spool to exist.
---

diff --git a/examples/chronyd.service b/examples/chronyd.service
index 2cac6026..4fb930ef 100644
--- a/examples/chronyd.service
+++ b/examples/chronyd.service
@@ -33,7 +33,7 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectProc=invisible
 ProtectSystem=strict
-ReadWritePaths=/run /var/lib/chrony
+ReadWritePaths=/run /var/lib/chrony -/var/log
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=yes
 RestrictSUIDSGID=yes
@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot
 
 # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
 NoNewPrivileges=no
-ReadWritePaths=/var/spool
+ReadWritePaths=-/var/spool
 RestrictAddressFamilies=AF_NETLINK
 
 [Install]