units: update catalog after systemd-tmpfiles runs

`systemd-journal-catalog-update.service` writes to `/var`. However, it's
not explicitly ordered wrt `systemd-tmpfiles-setup.service`, which means
that it may run before or after.

This is an issue for Fedora CoreOS, which uses Ignition. We want to be
able to prepare `/var` on first boot from the initrd, where the SELinux
policy is not loaded yet. This means that the hierarchy under `/var` is
not correctly labeled. We add a `Z /var - - -` tmpfiles entry so that it
gets relabeled once `/var` gets mounted post-switchroot.

So any service that tries to access `/var` before `systemd-tmpfiles`
relabels it is likely to hit `EACCES`.

Fix this by simply ordering `systemd-journal-catalog-update.service`
after `systemd-tmpfiles-setup.service`. This is also clearer since the
tmpfiles entries are the canonical source of how `/var` should be
populated.

For more context on this, see:
https://github.com/coreos/ignition/issues/635#issuecomment-446620297

0 files changed, 0 insertions, 0 deletions