systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.

And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
author: Guilhem Moulin <guilhem@fripost.org> 2018-12-08 01:06:06 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2018-12-09 20:25:39 +0100
commit: 6a57ea01fd48992883d6dac1b7746e79202215e4 (patch)
tree: f55ae891ecf05aa19511ce1493ae8631f60826bc /roles/munin-master/files/etc/systemd/system/munin-cgi-html.service
parent: bccbd0d4c0faf46e911284e599cc22da2c9b04d9 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service
index 119d3a2..3c0c0e5 100644
--- a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service
+++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service
@@ -1,22 +1,21 @@
 [Unit]
 Description=Munin CGI HTML Service
 After=network.target
 PartOf=munin.service
 Requires=munin-cgi-html.socket
 
 [Service]
 StandardInput=socket
 User=www-data
 Group=munin
 ExecStart=/usr/lib/munin/cgi/munin-cgi-html
 
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectHome=yes
-ProtectSystem=full
-ReadOnlyDirectories=/
+ProtectSystem=strict
 ReadWriteDirectories=-/var/log/munin
 
 [Install]
 WantedBy=multi-user.target
author	Guilhem Moulin <guilhem@fripost.org>	2018-12-08 01:06:06 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2018-12-09 20:25:39 +0100
commit	6a57ea01fd48992883d6dac1b7746e79202215e4 (patch)
tree	f55ae891ecf05aa19511ce1493ae8631f60826bc /roles/munin-master/files/etc/systemd/system/munin-cgi-html.service
parent	bccbd0d4c0faf46e911284e599cc22da2c9b04d9 (diff)