Bug 1557620

Summary: /usr/lib/tmpfiles.d/pam.conf references /var/run instead of /run
Product: [Fedora] Fedora Reporter: dac.override
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pam-1.3.1-8.fc28 pam-1.3.1-8.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-01 02:05:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dac.override 2018-03-17 08:54:29 UTC 
Description of problem:
/usr/lib/tmpfiles.d/pam.conf references /var/run instead of /run

This can cause issues in some scenario's and there really is no reason to keep using the old /var/run

Version-Release number of selected component (if applicable):
pam-1.3.0-10.fc28.x86_64

How reproducible:
Install an SELinux policy that does not support legacy "/var/run"
systemd-tmpfiles will interpret /usr/lib/tmpfiles.d/pam.conf
systemd-tmpfiles' selinux awareness will try to determine the label to create the files in pam.conf with
The determined label is not allowed to associate with the tmpfs filesystem mounted on /run

The /var/run symlink is really only there for scenario's where there is no other option (API compatibility). All other use-cases should just use "/run" directly. The goal is to, one day, migrate away from "/var/run" but if everyone keeps using "/var/run" because of habit then it might never happen.
Comment 1 Tomas Mraz 2018-03-19 08:30:13 UTC 
The problem is the /var/run path is hardcoded in multiple PAM modules so just changing the tmpfiles PAM config would just make the thing inconsistent. We would need to patch all the use of /var/run in PAM together with the pam.conf and that is not that trivial and should be preferentially done upstream.
Comment 2 dac.override 2018-03-19 09:03:17 UTC 
Thanks, Yes if this, arguably small, inconsistency bothers you then i suppose i can understand why you are hesitant to change the tmpfiles snippet.

But on the hand, its just that tmpfiles snippet. Which is fedora specific i suppose.

The tmpfiles snippet causes issues do to the way systemd-tmpfiles processes it. (it is interpreted by systemd-tmpfiles, and systemd-tmpfiles makes decisions based on it. Those decision might in turn then force a "/var/run" dependency on other components like SELinux policy.
Comment 3 Tomas Mraz 2018-05-21 12:46:50 UTC 
*** Bug 1471488 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2018-11-16 10:18:48 UTC 
pam-1.3.1-7.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c0aaeaf9b
Comment 5 Fedora Update System 2018-11-16 10:18:53 UTC 
pam-1.3.1-7.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c2c01c0a06
Comment 6 Fedora Update System 2018-11-17 04:43:52 UTC 
pam-1.3.1-8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3c0aaeaf9b
Comment 7 Fedora Update System 2018-11-17 06:39:12 UTC 
pam-1.3.1-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c2c01c0a06
Comment 8 Fedora Update System 2018-12-01 02:05:15 UTC 
pam-1.3.1-8.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2018-12-01 20:40:13 UTC 
pam-1.3.1-8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.