-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-10.0
-
None
-
usbguard-1.1.3-6.el10
-
No
-
Moderate
-
rhel-sst-security-special-projects
-
ssg_security
-
26
-
None
-
False
-
-
No
-
None
-
Unspecified Release Note Type - Unknown
-
-
All
-
None
What were you trying to do that didn't work?
When booting RHEL with root marked as read-only, the systemd `usbguard` service fails, because it needs some to prepare and write some files in /var. Since /var is read-only, it will fail.
Files in question: /var/log/usbguard/*
The solution is:
- mount /var as rw tmpfs
- add the following config into /usr/lib/tmpfiles.d/usbguard.conf:
d /var/lib/usbguard 700 root root -
Not sure if selinux labeling needs to defined here.
This will ensure that the folders are created and the selinux is correctly set up, otherwise usbguard won't have the permission to write it, even though the folder exists in tmpfs.
Please provide the package NVR for which bug is seen:
I think this applies to all usbguard packages, as long as RHEL is booted with `ro` /.
How reproducible:
Always, as long as RHEL is booted with `ro` /.
Steps to reproduce
- modify /etc/fstab and add `ro` to the / existing attributes (something like `ro,defaults`)
- reboot
- systemctl status --failed
Expected results
usbguard is not in the failed units
Actual results
usbguard fails for the above reasons
- is related to
-
-
- Verified
-
- links to
-
RHBA-2024:142305
usbguard bug fix and enhancement update
