| The systemd bluetooth service failed to start because the /var/lib/bluetooth |
| path of ReadWritePaths= is created by the bluetooth daemon itself. |
| |
| The commit systemd: Add more filesystem lockdown (442d211) add ReadWritePaths=/etc/bluetooth |
| and ReadOnlyPaths=/var/lib/bluetooth options to the bluetooth systemd service. |
| The existing ProtectSystem=full option mounts the /usr, the boot loader |
| directories and /etc read-only. This means the two option are useless and could be removed. |
| |
| Upstream-Status: Submitted [https://github.com/bluez/bluez/issues/329] |
| |
| Index: bluez-5.64/src/bluetooth.service.in |
| =================================================================== |
| --- bluez-5.64.orig/src/bluetooth.service.in |
| +++ bluez-5.64/src/bluetooth.service.in |
| @@ -15,12 +15,12 @@ LimitNPROC=1 |
| |
| # Filesystem lockdown |
| ProtectHome=true |
| -ProtectSystem=full |
| +ProtectSystem=strict |
| PrivateTmp=true |
| ProtectKernelTunables=true |
| ProtectControlGroups=true |
| -ReadWritePaths=@statedir@ |
| -ReadOnlyPaths=@confdir@ |
| +ConfigurationDirectory=bluetooth |
| +StateDirectory=bluetooth |
| |
| # Execute Mappings |
| MemoryDenyWriteExecute=true |