[Service]
# DEF-41613: ReadWritePaths= (231+) and AmbientCapabilities= (229+)
# are silently dropped on older systemd. Without them:
#   * ProtectSystem=full would lock /etc and break agent config writes;
#   * NoNewPrivileges=true would clear subprocess effective caps,
#     breaking iptables-restore / ipset / i360-storage-replacehdb-v2
#     (the kernel's UID-0 effective-raise-on-exec is disabled by NNP
#     and we have no AmbientCapabilities= here to compensate).
# Reset both so CL7 / CentOS 7 falls back to the pre-MR-338 behaviour
# while keeping CapabilityBoundingSet= which 219 honors. Use explicit
# "=no" rather than "=" — systemd 219 doesn't understand the
# empty-value reset syntax (added in v229) and ignores those lines as
# parse failures.
ProtectSystem=no
NoNewPrivileges=no