Undefined What were you trying to do that didn't work?
When booting RHEL with root marked as read-only, the systemd `auditd` service fails, because it needs some to prepare and write some files in /var. Since /var is read-only, it will fail.
I debugged this already, basically the issue is that `auditd` and `rsyslog` need to find and have access to the following folders in /var:
/var/log/audit
/var/lib/rsyslog
In addition, audit also needs to have the following selinux attribute on /var/log/audit
system_u:object_r:auditd_log_t:s0
The solution is:
- mount /var as rw tmpfs
- add the following config into /usr/lib/tmpfiles.d/your-config.conf:
d /var/log/audit 700 root root -
d /var/lib/rsyslog 700 root root -
A /var/log/audit - - - - system_u:object_r:auditd_log_t:s0
This will ensure that the folders are created and the selinux is correctly set up, otherwise auditd won't have the permission to write it, even though the folder exists in tmpfs.
The reason why /var/lib/rsyslog also needs to exist is because something in auditd creates `imjournal` into that folder, and fails if it is not found.
Please provide the package NVR for which bug is seen:
I think this applies to all auditd packages, as long as RHEL is booted with `ro` /.
How reproducible:
Always, as long as RHEL is booted with `ro` /.
Steps to reproduce
- modify /etc/fstab and add `ro` to the / existing attributes (something like `ro,defaults`)
- reboot
- systemctl status --failed
Expected results
auditd is not in the failed units
Actual results
auditd fails for the above reasons
