X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Frsync%2Ftemplates%2Fsystemd-rsyncd.service.erb;h=5ecc685a753d7486b6d2f25d64d91253eb4c8f3f;hb=77803c6bdbdc2c29b9a268c34de4ea29518442ef;hp=7a5b8284093415520101f45fd6fb48fb57d69482;hpb=9c6dc45af0df40ff4b1637fee9add35bb2599504;p=mirror%2Fdsa-puppet.git

diff --git a/modules/rsync/templates/systemd-rsyncd.service.erb b/modules/rsync/templates/systemd-rsyncd.service.erb
index 7a5b82840..5ecc685a7 100644
--- a/modules/rsync/templates/systemd-rsyncd.service.erb
+++ b/modules/rsync/templates/systemd-rsyncd.service.erb
@@ -5,8 +5,8 @@ Description=rsync daemon <%= @name %>
 ExecStart=-/usr/bin/rsync --daemon --config=<%= @fname_real_rsync %>
 StandardInput=socket
 StandardError=journal
-CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID
+CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID CAP_DAC_READ_SEARCH
 PrivateDevices=true
 PrivateNetwork=true
-ProtectHome=true
+ProtectHome=read-only
 ProtectSystem=full