25187255f5
disable unsupported sandbox options and add /run to ReadWritePaths to exclude /run directory from being made read-only on rhel8 Related: #2159697
28 lines
861 B
Diff
28 lines
861 B
Diff
diff -up opencryptoki-3.21.0/misc/pkcsslotd.service.in.me opencryptoki-3.21.0/misc/pkcsslotd.service.in
|
|
--- opencryptoki-3.21.0/misc/pkcsslotd.service.in.me 2023-05-16 20:50:08.128841932 +0200
|
|
+++ opencryptoki-3.21.0/misc/pkcsslotd.service.in 2023-05-16 21:19:35.208570589 +0200
|
|
@@ -22,17 +22,17 @@ PrivateUsers=no
|
|
PrivateNetwork=no
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
|
IPAddressDeny=any
|
|
-ProtectClock=yes
|
|
+#ProtectClock=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
-ProtectKernelLogs=yes
|
|
+#ProtectKernelLogs=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
-ProtectHostname=yes
|
|
-ProtectProc=default
|
|
+#ProtectHostname=yes
|
|
+#ProtectProc=default
|
|
ProtectSystem=strict
|
|
-ReadWritePaths=@localstatedir@
|
|
-ProcSubset=all
|
|
+ReadWritePaths=@localstatedir@ /run
|
|
+#ProcSubset=all
|
|
MemoryDenyWriteExecute=yes
|
|
RestrictRealtime=yes
|
|
RestrictNamespaces=yes
|