2 files changed, 2 insertions, 4 deletions

diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service
index ee5afe3..68934f1 100644
--- a/roles/common/files/etc/systemd/system/bacula-fd.service
+++ b/roles/common/files/etc/systemd/system/bacula-fd.service
@@ -1,22 +1,21 @@
 [Unit]
 Description=Bacula File Daemon service
 After=network.target
 
 [Service]
 Type=forking
 PIDFile=/var/run/bacula/bacula-fd.9102.pid
 StandardOutput=syslog
 ExecStart=/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf
 
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectHome=read-only
-ProtectSystem=full
+ProtectSystem=strict
 PrivateTmp=yes
-ReadOnlyDirectories=/
 ReadWriteDirectories=-/var/lib
 ReadWriteDirectories=-/var/run/bacula
 
 [Install]
 WantedBy=multi-user.target
diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service
index e53d29e..d634e50 100644
--- a/roles/common/files/etc/systemd/system/stunnel4@.service
+++ b/roles/common/files/etc/systemd/system/stunnel4@.service
@@ -1,23 +1,22 @@
 [Unit]
 Description=SSL tunnel for network daemons (instance %i)
 After=network.target nss-lookup.target
 PartOf=stunnel4.service
 ReloadPropagatedFrom=stunnel4.service
 
 [Service]
 ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
 ExecReload=/bin/kill -HUP ${MAINPID}
 KillSignal=SIGINT
 TimeoutStartSec=120
 TimeoutStopSec=60
 Restart=on-failure
 
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectHome=yes
-ProtectSystem=full
-ReadOnlyDirectories=/
+ProtectSystem=strict
 
 [Install]
 WantedBy=multi-user.target