The systemd bluetooth service failed to start because the /var/lib/bluetooth
path of ReadWritePaths= is created by the bluetooth daemon itself.

The commit systemd: Add more filesystem lockdown (442d211) add ReadWritePaths=/etc/bluetooth
and ReadOnlyPaths=/var/lib/bluetooth options to the bluetooth systemd service.
The existing ProtectSystem=full option mounts the /usr, the boot loader
directories and /etc read-only. This means the two option are useless and could be removed.

Upstream-Status: Submitted [https://github.com/bluez/bluez/issues/329]

Index: bluez-5.64/src/bluetooth.service.in
===================================================================
--- bluez-5.64.orig/src/bluetooth.service.in
+++ bluez-5.64/src/bluetooth.service.in
@@ -15,12 +15,12 @@ LimitNPROC=1
 
 # Filesystem lockdown
 ProtectHome=true
-ProtectSystem=full
+ProtectSystem=strict
 PrivateTmp=true
 ProtectKernelTunables=true
 ProtectControlGroups=true
-ReadWritePaths=@statedir@
-ReadOnlyPaths=@confdir@
+ConfigurationDirectory=bluetooth
+StateDirectory=bluetooth
 
 # Execute Mappings
 MemoryDenyWriteExecute=true