Hello,
I have no problems using this with Debian testing:
# /etc/systemd/system/systemd-journald.service.d/override.conf
[Service]
CapabilityBoundingSet=~CAP_MAC_OVERRIDE CAP_SYS_PTRACE
InaccessiblePaths=-/dev/pts -/dev/shm -/dev/mqueue -/dev/hugepages
-/setuid -/boot -/tmp -/var/tmp -/bin
looking at the current security issues and how it triggers the
troll-army i wonder why systemd-journald.service is not restricted from
at least write to /usr and /root at least on Fedora 28 (that it's not
vulernable because of compiler hardening is just luck)
[root@testserver:~]$ cat