Dear everyone, TL;DR: It appears that a systemd unit containing
ProtectSystem=full SystemCallFilter=~@mount ReadWritePaths=-/boot/EFIand launched on a system where /boot is initially mounted ro, keeps thinking /boot is read-only even after it has been remounted rw; it is necessary for the unit to be restarted for the change in question to take effect. Is this intentional? Is there some way such a change could be propagated to the unit's filesystem namespace? Or failing that, at least so that remounting /boot automatically stops (it's a dbus-activated unit so it will come back up when needed) fwupd.service.
The wider context here is that I have seen this happening for quite a while with fwupd, see e.g. https://github.com/fwupd/fwupd/issues/6046 , where it makes unattended BIOS updates a bit more convoluted.
Thanks in advance! -- MS
OpenPGP_signature
Description: OpenPGP digital signature
