From 17af5e199f09daadc66ca86d20a6e4061ca7153f Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Tue, 27 Apr 2021 16:17:19 +0200 Subject: [PATCH] unbound.service: Use `RuntimeDirectory=@UNBOUND_RUN_DIR@` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit That’s semantically more correct than putting it in `ReadWritePaths`. It normally maps to `/run` and is cleared when the service is stopped. --- contrib/unbound.service.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index d8a2a45b4..9cda6c2bb 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -63,7 +63,7 @@ ProtectHome=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=strict -RuntimeDirectory=unbound +RuntimeDirectory=@UNBOUND_RUN_DIR@ ConfigurationDirectory=unbound StateDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX @@ -73,7 +73,7 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes -ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ @UNBOUND_ROOTKEY_FILE@ +ReadWritePaths=@UNBOUND_CHROOT_DIR@ @UNBOUND_ROOTKEY_FILE@ # Below rules are needed when chroot is enabled (usually it's enabled by default). # If chroot is disabled like chroot: "" then they may be safely removed.