fix: auditd requires /var/log/audit to exist

/var/linux/audit must be created with proper permissions and SELinux context. The systemd service used must ensure this happens after local-fs has been mounted properly and before auditd starts.
2026-01-27 10:20:49 +00:00 · 2023-03-10 21:30:21 -06:00
parent ced145039f
commit 17302fa1d8
2 changed files with 15 additions and 0 deletions
--- a/1
+++ b/1
@@ -38,6 +38,7 @@ RUN sed -i 's/#AutomaticUpdatePolicy.*/AutomaticUpdatePolicy=stage/' /etc/rpm-os
    sed -i 's/#DefaultTimeoutStopSec.*/DefaultTimeoutStopSec=60s/' /etc/systemd/user.conf && \
    sed -i 's/#DefaultTimeoutStopSec.*/DefaultTimeoutStopSec=60s/' /etc/systemd/system.conf && \
    systemctl enable cockpit.service && \
+    systemctl enable ensure-var-log-audit-dir.service && \
    systemctl enable rpm-ostreed-automatic.timer && \
    rm /etc/ssh/sshd_config.d/40-disable-passwords.conf && \
    cp -a /etc/firewalld/firewalld-server.conf /etc/firewalld/firewalld.conf && \
--- a/etc/systemd/system/ensure-var-log-audit-dir.service
+++ b/etc/systemd/system/ensure-var-log-audit-dir.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Ensure /var/log/audit is present
+DefaultDependencies=no
+After=local-fs.target
+Before=auditd.service
+
+[Service]
+Type=oneshot
+ExecStartPre=mkdir -p -m 0700 /var/log/audit
+ExecStart=restorecon -v /var/log/audit
+RemainAfterExit=yes
+
+[Install]
+WantedBy=auditd.service