On Mon, 2016-07-11 at 18:27 +0100, Philip Withnall wrote:
Setting the timezone requires unlinking and relinking
so we need /etc to be mounted read–write. This means that commit
dc8f151e has to be softened to ProtectSystem=true rather than
ProtectSystem=full. This mounts most of the filesystem as read-only,
apart from /etc, which is read–write.
Signed-off-by: Philip Withnall <philip.withnall(a)collabora.co.uk>
src/connman.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/connman.service.in b/src/connman.service.in
index 57eaaf9..d5d6d44 100644
@@ -15,7 +15,7 @@ ExecStart=@sbindir@/connmand -n
CapabilityBoundingSet=CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CAP_NET_RAW CAP_SYS_TIME CAP_SYS_MODULE
Yes, this will fix the problem. On the other hand there is also a
desired use case that ConnMan has write access only to as few places as
possible, for run-time information that would be /var/run/connman. In
order to keep in line with that, I suggest something similar that was
done for resolv.conf handling. See a few commits
from 3a9ad49c8c8448875375a67913af98f74bca0ad7 forwards.
So this could be handled by copying the symlink/file from
/etc/localtime to /var/run with tmpfiles.d and create the link to /etc
(see e.g. scripts/connman_resolvconf.conf.in).
What do you think?