diff --git a/phc2sys.service b/phc2sys.service
index ff2f77e..eadc258 100644
--- a/phc2sys.service
+++ b/phc2sys.service
@@ -7,5 +7,30 @@ Type=simple
 EnvironmentFile=-/etc/sysconfig/phc2sys
 ExecStart=/usr/sbin/phc2sys $OPTIONS
 
+CapabilityBoundingSet=CAP_SYS_TIME
+DeviceAllow=char-pps rw
+DeviceAllow=char-ptp rw
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+# This does not work with selinux
+#NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io
+SystemCallFilter=~@reboot @resources @swap
+
 [Install]
 WantedBy=multi-user.target
diff --git a/ptp4l.service b/ptp4l.service
index fbb26d1..5b08e3d 100644
--- a/ptp4l.service
+++ b/ptp4l.service
@@ -8,5 +8,31 @@ Type=simple
 EnvironmentFile=-/etc/sysconfig/ptp4l
 ExecStart=/usr/sbin/ptp4l $OPTIONS
 
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_TIME
+DeviceAllow=char-pps rw
+DeviceAllow=char-ptp rw
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+# This does not work with selinux
+#NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io
+SystemCallFilter=~@reboot @resources @swap
+
 [Install]
 WantedBy=multi-user.target
diff --git a/timemaster.service b/timemaster.service
index a6bda33..5b722fc 100644
--- a/timemaster.service
+++ b/timemaster.service
@@ -7,6 +7,34 @@ Wants=network-online.target
 [Service]
 Type=simple
 ExecStart=/usr/sbin/timemaster -f /etc/timemaster.conf
+RuntimeDirectory=timemaster
+
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DeviceAllow=char-pps rw
+DeviceAllow=char-ptp rw
+DeviceAllow=char-rtc rw
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run/timemaster /var/lib/chrony -/var/log -/var/spool
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
 
 [Install]
 WantedBy=multi-user.target