core: add new ReadOnlySystem= and ProtectedHome= settings for service units

[elogind.git] / units / systemd-journald.service.in

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 3899745306c44de278f523ba29f141a161f8a118..ba3f847201a2b058ead029c582840ed7f7f0adc7 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -9,16 +9,20 @@
 Description=Journal Service
 Documentation=man:systemd-journald.service(8) man:journald.conf(5)
 DefaultDependencies=no
-Wants=systemd-journal-flush.service
 Requires=systemd-journald.socket
 After=systemd-journald.socket syslog.socket
+Before=sysinit.target
 
 [Service]
 ExecStart=@rootlibexecdir@/systemd-journald
 Restart=always
+RestartSec=0
 NotifyAccess=all
 StandardOutput=null
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
+ReadOnlySystem=yes
+ProtectedHome=yes
+WatchdogSec=1min
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service.