Bug 2346971

Summary: /var/lib/setroubleshoot is not created by tmpfiles.d config
Product: [Fedora] Fedora Reporter: Devin Bayer <dev>
Component: setroubleshootAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 42CC: dwalsh, mmalik, plautrba, vmojzis
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: setroubleshoot-3.3.35-4.fc41 setroubleshoot-3.3.35-4.fc42 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-03-12 02:02:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Devin Bayer 2025-02-21 12:12:34 UTC 
On image based distros like CoreOS and Fedora Silverblue, /var contents from RPMs are not used. Instead files in /var should be created by tmpfiles.d configs.

The setroubleshoot-server package does not create the required directory because it has a `Z` flag in it's tmpfiles config, which only sets permissions. Instead it should be a `d` flag.

A workaround is this:

  mkdir /var/lib/setroubleshoot
  chown setroubleshoot:setroubleshoot /var/lib/setroubleshoot
  chmod 0700 /var/lib/setroubleshoot

See https://github.com/coreos/fedora-coreos-tracker/issues/1720

Reproducible: Always

Steps to Reproduce:
1. systemctl start setroubleshootd

Actual Results:  
Feb 21 12:46:49 orac systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot create file /var/lib/setroubleshoot/setroubleshoot_database.xml [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot chmod /var/lib/setroubleshoot/setroubleshoot_database.xml to 600 [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot chown /var/lib/setroubleshoot/setroubleshoot_database.xml to setroubleshoot:setroubleshoot [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot create file /var/lib/setroubleshoot/email_alert_recipients [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot chmod /var/lib/setroubleshoot/email_alert_recipients to 600 [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot chown /var/lib/setroubleshoot/email_alert_recipients to setroubleshoot:setroubleshoot [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 2] No such file or directory: '/var/lib/setroubleshoot/setroubleshoot_database.xml'
Feb 21 12:46:59 orac setroubleshoot[96947]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 2] No such file or directory: '/var/lib/setroubleshoot/setroubleshoot_database.xml'
Feb 21 12:46:59 orac systemd[1]: setroubleshootd.service: Deactivated successfully.

Expected Results:  
No error messages
Comment 1 Petr Lautrbach 2025-02-28 16:05:19 UTC 
diff --git a/setroubleshoot.tmpfiles b/setroubleshoot.tmpfiles
index 9e71e5f9a660..a2ca6c407254 100644
--- a/setroubleshoot.tmpfiles
+++ b/setroubleshoot.tmpfiles
@@ -1,2 +1,3 @@
 d /run/setroubleshoot 711 setroubleshoot setroubleshoot -
+d /var/lib/setroubleshoot 700 setroubleshoot setroubleshoot -
 Z /var/lib/setroubleshoot - setroubleshoot setroubleshoot -
(END)

should fix it.

I was able to reproduce it on image mode system and I confirmed that with image based on this Containerfile it works:

[root@default-0 ~]# cat Containerfile 
FROM quay.io/fedora/fedora-bootc:rawhide

RUN dnf -y install setroubleshoot-server

RUN echo d /var/lib/setroubleshoot 700 setroubleshoot setroubleshoot - >> /usr/lib/tmpfiles.d/setroubleshoot.conf
Comment 2 Petr Lautrbach 2025-02-28 16:11:26 UTC 
https://src.fedoraproject.org/rpms/setroubleshoot/pull-request/60
Comment 3 Fedora Update System 2025-03-03 14:38:22 UTC 
FEDORA-2025-b7c388f00b (setroubleshoot-3.3.35-4.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b7c388f00b
Comment 4 Fedora Update System 2025-03-03 14:56:42 UTC 
FEDORA-2025-b0b9873dc2 (setroubleshoot-3.3.35-4.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b0b9873dc2
Comment 5 Fedora Update System 2025-03-04 01:13:50 UTC 
FEDORA-2025-b0b9873dc2 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b0b9873dc2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b0b9873dc2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2025-03-04 01:44:06 UTC 
FEDORA-2025-b7c388f00b has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b7c388f00b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b7c388f00b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2025-03-12 02:02:06 UTC 
FEDORA-2025-b0b9873dc2 (setroubleshoot-3.3.35-4.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2025-03-15 00:38:04 UTC 
FEDORA-2025-b7c388f00b (setroubleshoot-3.3.35-4.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.