# Hardened logcheck.service started complaining after a reboot:
#
#     systemd[1]: Starting logcheck — email sysadmin about anomalous log events...
#     logcheck[807044]: mkdir: cannot create directory ‘/run/lock/logcheck’: Read-only file system
#     msmtp[808400]: host=localhost tls=off auth=off from=logcheck@cyber.com.au recipients=logcheck mailsize=1368 smtpstatus=250 smtpmsg='250 2.0.0 Ok: queued as CB96A283D8' exitcode=EX_OK
#     systemd[1]: logcheck.service: Succeeded.
#
# It didn't complain BEFORE the reboot, presumably because that dir already existed.
# https://salsa.debian.org/debian/logcheck/-/blob/debian/1.3.24/src/logcheck#L653-657
#
# Move that "make sure the dir exists" into the separate systemd daemon whose entire job is to do that.
#
# <twb> I have an existing batch job that I don't want to patch.
#       It is doing
#           LOCKDIR=/run/lock/logcheck
#           if [ ! -d "$LOCKDIR" ]; then mkdir -m 0755 "$LOCKDIR" fi
#       This fails when the .service is hardened.
#       Is there a way to make systemd manage that dir?
#       I initially thought RuntimeDirectory=%p, but that's /run/logcheck not /run/lock/logcheck.
#       I don't see anything relevant in "git grep -Fw lock -- man".
#       I guess I can write a tmpfiles.d, and then ReadWritePaths=/run/lock/logcheck...
#       Oh the latter is probably implicitly there already.
d /run/lock/logcheck 0755 logcheck logcheck - -