fix hardened chronyd service to allow writing log files

chrony-services.patch

@@ -118,3 +118,34 @@ index 72b028f2..57646950 100644
  IPAddressAllow=localhost
  IPAddressDeny=any
  LockPersonality=yes
+commit 76a905d652cafccfac1023f74d12ffa7facc4832
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Mon Oct 4 10:54:40 2021 +0200
+
+    examples: improve chronyd service
+    
+    Allow writing logfiles (enabled by logdir or -l option) to /var/log and
+    don't require /var/spool to exist.
+
+diff --git a/examples/chronyd.service b/examples/chronyd.service
+index 2cac6026..4fb930ef 100644
+--- a/examples/chronyd.service
++++ b/examples/chronyd.service
+@@ -33,7 +33,7 @@ ProtectKernelModules=yes
+ ProtectKernelTunables=yes
+ ProtectProc=invisible
+ ProtectSystem=strict
+-ReadWritePaths=/run /var/lib/chrony
++ReadWritePaths=/run /var/lib/chrony -/var/log
+ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+ RestrictNamespaces=yes
+ RestrictSUIDSGID=yes
+@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot
+ 
+ # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
+ NoNewPrivileges=no
+-ReadWritePaths=/var/spool
++ReadWritePaths=-/var/spool
+ RestrictAddressFamilies=AF_NETLINK
+ 
+ [Install]

chrony.spec

@@ -72,7 +72,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$')
         6a3178c4670de7de393d9365e2793740  examples/chrony.logrotate
         a7054c9352c07384bd7ea0477e6e8a8c  examples/chrony.nm-dispatcher.dhcp
         8f5a98fcb400a482d355b929d04b5518  examples/chrony.nm-dispatcher.onoffline
-        76c8a32a5ac6692a7f15f65e2b5f3239  examples/chronyd.service
+        677ad16d6439daa369da44a1b75d1772  examples/chronyd.service
 EOF
 
 # don't allow packaging without vendor zone