|
|
55fb52b |
From 28a99b8b66ed8874502f528bb44289254c05267c Mon Sep 17 00:00:00 2001
|
|
|
9031475 |
From: Robert Scheck <robert@fedoraproject.org>
|
|
|
55fb52b |
Date: Mon, 15 May 2023 21:54:37 +0200
|
|
|
55fb52b |
Subject: [PATCH] Drop systemd.unit options unsupported in systemd-239-68.el8_7.4
|
|
|
9031475 |
|
|
|
9031475 |
---
|
|
|
55fb52b |
units/systemd-networkd.service.in | 8 ++------
|
|
|
4ce5fd6 |
units/systemd-timesyncd.service.in | 4 ----
|
|
|
55fb52b |
2 files changed, 2 insertions(+), 10 deletions(-)
|
|
|
9031475 |
|
|
|
9031475 |
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
|
|
|
55fb52b |
index d8b935a..a123f98 100644
|
|
|
9031475 |
--- a/units/systemd-networkd.service.in
|
|
|
9031475 |
+++ b/units/systemd-networkd.service.in
|
|
|
55fb52b |
@@ -20,23 +20,19 @@ Wants=systemd-networkd.socket network.target
|
|
|
4bf6b39 |
|
|
|
4bf6b39 |
[Service]
|
|
|
4bf6b39 |
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
|
|
|
4bf6b39 |
-BusName=org.freedesktop.network1
|
|
|
4bf6b39 |
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
|
|
|
4bf6b39 |
DeviceAllow=char-* rw
|
|
|
0a725fa |
ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-networkd
|
|
|
55fb52b |
+ExecReload=networkctl reload
|
|
|
55fb52b |
FileDescriptorStoreMax=512
|
|
|
4b713f0 |
LockPersonality=yes
|
|
|
4b713f0 |
MemoryDenyWriteExecute=yes
|
|
|
4b713f0 |
NoNewPrivileges=yes
|
|
|
4bf6b39 |
-ProtectProc=invisible
|
|
|
4b713f0 |
-ProtectClock=yes
|
|
|
9031475 |
ProtectControlGroups=yes
|
|
|
9031475 |
ProtectHome=yes
|
|
|
9031475 |
-ProtectKernelLogs=yes
|
|
|
4bf6b39 |
ProtectKernelModules=yes
|
|
|
9031475 |
ProtectSystem=strict
|
|
|
9031475 |
Restart=on-failure
|
|
|
4bf6b39 |
-RestartKillSignal=SIGUSR2
|
|
|
9031475 |
RestartSec=0
|
|
|
76b59e0 |
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
|
|
|
9031475 |
RestrictNamespaces=yes
|
|
|
55fb52b |
@@ -47,7 +43,7 @@ RuntimeDirectoryPreserve=yes
|
|
|
55fb52b |
SystemCallArchitectures=native
|
|
|
55fb52b |
SystemCallErrorNumber=EPERM
|
|
|
55fb52b |
SystemCallFilter=@system-service
|
|
|
55fb52b |
-Type=notify-reload
|
|
|
55fb52b |
+Type=notify
|
|
|
55fb52b |
User=systemd-network
|
|
|
55fb52b |
{{SERVICE_WATCHDOG}}
|
|
|
55fb52b |
|
|
|
9031475 |
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
|
|
|
0a725fa |
index c606461..5ae8dc5 100644
|
|
|
9031475 |
--- a/units/systemd-timesyncd.service.in
|
|
|
9031475 |
+++ b/units/systemd-timesyncd.service.in
|
|
|
4ce5fd6 |
@@ -20,7 +20,6 @@ Wants=time-set.target
|
|
|
4bf6b39 |
|
|
|
4bf6b39 |
[Service]
|
|
|
4bf6b39 |
AmbientCapabilities=CAP_SYS_TIME
|
|
|
4bf6b39 |
-BusName=org.freedesktop.timesync1
|
|
|
4bf6b39 |
CapabilityBoundingSet=CAP_SYS_TIME
|
|
|
4ce5fd6 |
# Turn off DNSSEC validation for hostname look-ups, since those need the
|
|
|
4ce5fd6 |
# correct time to work, but we likely won't acquire that without NTP. Let's
|
|
|
4ce5fd6 |
@@ -32,11 +31,8 @@ MemoryDenyWriteExecute=yes
|
|
|
4bf6b39 |
NoNewPrivileges=yes
|
|
|
4bf6b39 |
PrivateDevices=yes
|
|
|
9031475 |
PrivateTmp=yes
|
|
|
4bf6b39 |
-ProtectProc=invisible
|
|
|
9031475 |
ProtectControlGroups=yes
|
|
|
9031475 |
ProtectHome=yes
|
|
|
9031475 |
-ProtectHostname=yes
|
|
|
4bf6b39 |
-ProtectKernelLogs=yes
|
|
|
9031475 |
ProtectKernelModules=yes
|
|
|
9031475 |
ProtectKernelTunables=yes
|
|
|
9031475 |
ProtectSystem=strict
|
|
|
9031475 |
--
|
|
|
55fb52b |
2.31.1
|
|
|
9031475 |
|