The scriptlets start with: if [ ! -f /run/ostree-booted ] && [ $1 == 2 ] && grep -q get-default-crashkernel /usr/bin/kdumpctl; then kdumpctl get-default-crashkernel kdump > /tmp/old_default_crashkernel 2>/dev/null fi Thus, if any local user does 'ln -s /tmp/old_default_crashkernel /some/path', the scriptlet will attempt to write to /some/path. When testing whether this works, I realized that we set sysctl fs.protected_symlinks=1 the configuration provided by systemd, so this will just fail in most cases, instead of overwriting the file, turning this into a DOS rather than a security issue. But it's still just terrible. Please don't use a predictable file name in a shared directory. Reproducible: Always
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.