Bug 2346971 - /var/lib/setroubleshoot is not created by tmpfiles.d config
Summary: /var/lib/setroubleshoot is not created by tmpfiles.d config
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: setroubleshoot
Version: 42
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-21 12:12 UTC by Devin Bayer
Modified: 2025-03-15 00:38 UTC (History)
4 users (show)

Fixed In Version: setroubleshoot-3.3.35-4.fc41 setroubleshoot-3.3.35-4.fc42
Clone Of:
Environment:
Last Closed: 2025-03-12 02:02:06 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Devin Bayer 2025-02-21 12:12:34 UTC 
On image based distros like CoreOS and Fedora Silverblue, /var contents from RPMs are not used. Instead files in /var should be created by tmpfiles.d configs.

The setroubleshoot-server package does not create the required directory because it has a `Z` flag in it's tmpfiles config, which only sets permissions. Instead it should be a `d` flag.

A workaround is this:

  mkdir /var/lib/setroubleshoot
  chown setroubleshoot:setroubleshoot /var/lib/setroubleshoot
  chmod 0700 /var/lib/setroubleshoot

See https://github.com/coreos/fedora-coreos-tracker/issues/1720

Reproducible: Always

Steps to Reproduce:
1. systemctl start setroubleshootd

Actual Results:  
Feb 21 12:46:49 orac systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot create file /var/lib/setroubleshoot/setroubleshoot_database.xml [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot chmod /var/lib/setroubleshoot/setroubleshoot_database.xml to 600 [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot chown /var/lib/setroubleshoot/setroubleshoot_database.xml to setroubleshoot:setroubleshoot [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot create file /var/lib/setroubleshoot/email_alert_recipients [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot chmod /var/lib/setroubleshoot/email_alert_recipients to 600 [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: cannot chown /var/lib/setroubleshoot/email_alert_recipients to setroubleshoot:setroubleshoot [No such file or directory]
Feb 21 12:46:49 orac setroubleshoot[96947]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 2] No such file or directory: '/var/lib/setroubleshoot/setroubleshoot_database.xml'
Feb 21 12:46:59 orac setroubleshoot[96947]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 2] No such file or directory: '/var/lib/setroubleshoot/setroubleshoot_database.xml'
Feb 21 12:46:59 orac systemd[1]: setroubleshootd.service: Deactivated successfully.

Expected Results:  
No error messages
Comment 1 Petr Lautrbach 2025-02-28 16:05:19 UTC 
diff --git a/setroubleshoot.tmpfiles b/setroubleshoot.tmpfiles
index 9e71e5f9a660..a2ca6c407254 100644
--- a/setroubleshoot.tmpfiles
+++ b/setroubleshoot.tmpfiles
@@ -1,2 +1,3 @@
 d /run/setroubleshoot 711 setroubleshoot setroubleshoot -
+d /var/lib/setroubleshoot 700 setroubleshoot setroubleshoot -
 Z /var/lib/setroubleshoot - setroubleshoot setroubleshoot -
(END)

should fix it.

I was able to reproduce it on image mode system and I confirmed that with image based on this Containerfile it works:

[root@default-0 ~]# cat Containerfile 
FROM quay.io/fedora/fedora-bootc:rawhide

RUN dnf -y install setroubleshoot-server

RUN echo d /var/lib/setroubleshoot 700 setroubleshoot setroubleshoot - >> /usr/lib/tmpfiles.d/setroubleshoot.conf
Comment 2 Petr Lautrbach 2025-02-28 16:11:26 UTC 
https://src.fedoraproject.org/rpms/setroubleshoot/pull-request/60
Comment 3 Fedora Update System 2025-03-03 14:38:22 UTC 
FEDORA-2025-b7c388f00b (setroubleshoot-3.3.35-4.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b7c388f00b
Comment 4 Fedora Update System 2025-03-03 14:56:42 UTC 
FEDORA-2025-b0b9873dc2 (setroubleshoot-3.3.35-4.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b0b9873dc2
Comment 5 Fedora Update System 2025-03-04 01:13:50 UTC 
FEDORA-2025-b0b9873dc2 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b0b9873dc2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b0b9873dc2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2025-03-04 01:44:06 UTC 
FEDORA-2025-b7c388f00b has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b7c388f00b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b7c388f00b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2025-03-12 02:02:06 UTC 
FEDORA-2025-b0b9873dc2 (setroubleshoot-3.3.35-4.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2025-03-15 00:38:04 UTC 
FEDORA-2025-b7c388f00b (setroubleshoot-3.3.35-4.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.