From 558dbdf4f2a9f8e97af42cc697f83c6069cab814 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Thu, 11 Sep 2025 13:10:27 +0200
Subject: [PATCH 1/2] auditd.service: set LogsDirectory and RuntimeDirectory

This ensures systemd will create these directories
ahead of starting the auditd service. It also ensures
the auditd service has write permissions, even if
someone might add additional hardening options to
the systemd service in the future.

Directory permission bits were copied from the
systemd tmpfiles config for the log directory, and
`make_audit_run_dir()` for the runtime directory.
---
 init.d/auditd.service.in | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/init.d/auditd.service.in b/init.d/auditd.service.in
index faeeea517..308aecf94 100644
--- a/init.d/auditd.service.in
+++ b/init.d/auditd.service.in
@@ -35,6 +35,11 @@ ExecStart=@sbindir@/auditd
 Restart=on-failure
 ## Do not restart for intentional exits. See EXIT CODES section in auditd(8).
 RestartPreventExitStatus=2 4 6
+## Create Log and Runtime directory
+LogsDirectory=audit
+LogsDirectoryMode=0700
+RuntimeDirectory=audit
+RuntimeDirectoryMode=0755
 
 ### Security Settings ###
 MemoryDenyWriteExecute=true

From 0705ca9f602b909bcaaeff545cbd51ed2c3e5f31 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Thu, 11 Sep 2025 13:17:38 +0200
Subject: [PATCH 2/2] auditd: remove tmpfiles dependency

With RuntimeDirectory/LogsDirectory set,
there is no need to an explicit tmpfiles rule anymore.
---
 audit.spec                    | 1 -
 init.d/Makefile.am            | 4 ----
 init.d/audit-rules.service.in | 2 +-
 init.d/audit-tmpfiles.conf    | 1 -
 init.d/auditd.service.in      | 4 ++--
 5 files changed, 3 insertions(+), 9 deletions(-)
 delete mode 100644 init.d/audit-tmpfiles.conf

diff --git a/audit.spec b/audit.spec
index b92ca05c2..05d3a5662 100644
--- a/audit.spec
+++ b/audit.spec
@@ -222,7 +222,6 @@ fi
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
-%attr(640,root,root) %{_tmpfilesdir}/audit.conf
 %attr(644,root,root) %{_unitdir}/auditd.service
 %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
diff --git a/init.d/Makefile.am b/init.d/Makefile.am
index 1f7e4a927..7534c6329 100644
--- a/init.d/Makefile.am
+++ b/init.d/Makefile.am
@@ -24,7 +24,6 @@
 CONFIG_CLEAN_FILES = *.rej *.orig
 CLEANFILES = $(BUILT_SOURCES)
 EXTRA_DIST = auditd.service.in audit-rules.service.in  auditd.conf auditd.cron \
-	audit-tmpfiles.conf \
 	libaudit.conf auditd.condrestart \
 	auditd.reload auditd.restart auditd.resume \
 	auditd.rotate auditd.state auditd.stop audit-rules.service \
@@ -48,8 +47,6 @@ BUILT_SOURCES = auditd.service audit-rules.service
 
 install-data-hook:
 	$(INSTALL_DATA) -D -m 640 ${srcdir}/${libconfig} ${DESTDIR}${sysconfdir}
-	mkdir -p ${DESTDIR}$(prefix)/lib/tmpfiles.d/
-	$(INSTALL_DATA) -m 640 ${srcdir}/audit-tmpfiles.conf ${DESTDIR}$(prefix)/lib/tmpfiles.d/audit.conf
 
 install-exec-hook:
 	mkdir -p ${DESTDIR}${initdir}
@@ -81,5 +78,4 @@ uninstall-hook:
 	rm ${DESTDIR}${legacydir}/stop
 	rm ${DESTDIR}${legacydir}/restart
 	rm ${DESTDIR}${legacydir}/condrestart
-	rm ${DESTDIR}$(prefix)/lib/tmpfiles.d/audit.conf
 	rm ${DESTDIR}${sysconfdir}/bash_completion.d/audit.bash_completion
diff --git a/init.d/audit-rules.service.in b/init.d/audit-rules.service.in
index 73bfcaafa..cb6675e2c 100644
--- a/init.d/audit-rules.service.in
+++ b/init.d/audit-rules.service.in
@@ -5,7 +5,7 @@ ConditionKernelCommandLine=!audit=off
 DefaultDependencies=no
 # We need the local file system for the rules. Augenrules uses /tmp while
 # constructing rules, so we have to wait for that to be available, too.
-After=local-fs.target systemd-tmpfiles-setup.service
+After=local-fs.target
 
 Documentation=man:auditctl(8) https://github.com/linux-audit/audit-documentation
 
diff --git a/init.d/audit-tmpfiles.conf b/init.d/audit-tmpfiles.conf
deleted file mode 100644
index 5512a535a..000000000
--- a/init.d/audit-tmpfiles.conf
+++ /dev/null
@@ -1 +0,0 @@
-d /var/log/audit 0700 root root - -
diff --git a/init.d/auditd.service.in b/init.d/auditd.service.in
index 308aecf94..b99116862 100644
--- a/init.d/auditd.service.in
+++ b/init.d/auditd.service.in
@@ -19,8 +19,8 @@ Wants=audit-rules.service
 ## If using remote logging, ensure that the systemd-update-utmp.service file
 ## is updated to remove the After=auditd.service directive to prevent a
 ## boot-time ordering cycle.
-After=local-fs.target systemd-tmpfiles-setup.service
-#After=network-online.target local-fs.target systemd-tmpfiles-setup.service
+After=local-fs.target
+#After=network-online.target local-fs.target
 Before=sysinit.target shutdown.target audit-rules.service
 #Before=shutdown.target
 Conflicts=shutdown.target