From 76a905d652cafccfac1023f74d12ffa7facc4832 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 4 Oct 2021 10:54:40 +0200
Subject: [PATCH] examples: improve chronyd service

Allow writing logfiles (enabled by logdir or -l option) to /var/log and
don't require /var/spool to exist.
---
 examples/chronyd.service | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/chronyd.service b/examples/chronyd.service
index 2cac602..4fb930e 100644
--- a/examples/chronyd.service
+++ b/examples/chronyd.service
@@ -33,7 +33,7 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectProc=invisible
 ProtectSystem=strict
-ReadWritePaths=/run /var/lib/chrony
+ReadWritePaths=/run /var/lib/chrony -/var/log
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=yes
 RestrictSUIDSGID=yes
@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot
 
 # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
 NoNewPrivileges=no
-ReadWritePaths=/var/spool
+ReadWritePaths=-/var/spool
 RestrictAddressFamilies=AF_NETLINK
 
 [Install]