[Unit]
Description=Sync Samba AD sysvol
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/sysvolsync

CacheDirectory=%N
RuntimeDirectory=%N
ReadWritePaths=%t/%N %C/%N /var/lib/samba
TemporaryFileSystem=/etc/ssh
BindReadOnlyPaths=/etc/ssh/ssh_config /etc/ssh/ssh_config.d
# Doesn't work: SELinux AVC denial when starting unit
#InaccessiblePaths=/etc/shadow

CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_SYS_ADMIN CAP_FOWNER
DeviceAllow=
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallFilter=@chown
UMask=0077