What were you trying to do that didn't work?

setroubleshoot does not work out-of-the-box on bootc image mode when there is a dedicated /var (or /var/log). /var/lib/setroubleshoot being not present, the command does not write its db. The issue is likely the same on RHEL 10. Feel free to move this bug to the `rhel-bootc-container` component if needed.

What is the impact of this issue to you?

Evaluation of the product.

Please provide the package NVR for which the bug is seen:

setroubleshoot-3.3.32-1.el9.x86_64

How reproducible is this bug?:

Always

Steps to reproduce

• Use a Containerfile that installs `setroubleshoot`

FROM registry.redhat.io/rhel9/rhel-bootc:latest
RUN dnf update -y && dnf -y install setroubleshoot && dnf clean all
RUN bootc container lint 

• Deploy it with a kickstart using `ostreecontainer` on a system with a dedicated /var
• On the booted system, edit sshd_config and change the configuration to use the "Port 2222", and then restart sshd.
• Run `sealert -a /var/log/audit/audit.log`, and observe the XML db cannot be stored.

Expected results

/var/lib/setroubleshoot/setroubleshoot_database.xml is created.

Actual results

/var/lib/setroubleshoot does not exist in the dedicated partition.

Suggested workaround

Create the missing directories using systemd-tmpfiles.d if they don't already exist.
NOTE: this list might be non-exhaustive.

# mkdir -p overlay/usr/local/lib/tmpfiles.d
# cat << EOF > overlay/usr/local/lib/tmpfiles.d/bootc-extra.conf 
d /var/lib/setroubleshoot	0700	setroubleshoot	setroubleshoot	-	-
Z /var/lib/setroubleshoot	-	-	-	-	-
EOF

And then append the following line to your Containerfile:

COPY overlay/ /