fix SELinux issue (#5335)

Install orbit to /opt instead of /var/lib. When installing to /var/lib, the default selinux context of var_lib_t gets applied, which results in an AVC error when running via systemd. Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2026-04-21 13:37:30 +00:00 · 2022-05-02 12:18:59 -06:00 · 2022-05-02 12:18:59 -06:00 · 15c69058bb
commit 15c69058bb
parent e5a80fa3f5
14 changed files with 85 additions and 43 deletions
--- a/changes/4176-orbit-fix-selinux-permissions
+++ b/changes/4176-orbit-fix-selinux-permissions
@ -0,0 +1,2 @@
+* Change install path to /opt/orbit. Fixes a permissions issue on platforms with SELinux enabled.
+  See [fleetdm/fleet#4176](https://github.com/fleetdm/fleet/issues/4176) for more details.
--- a/docs/Using-Fleet/Adding-hosts.md
+++ b/docs/Using-Fleet/Adding-hosts.md
@ -222,16 +222,19 @@ On a system with osquery installed via the Fleet osquery installer (Orbit), obta
 `CodeRequirement` of Orbit by running:

 ```
-codesign -dr - /private/var/lib/orbit/bin/orbit/macos/edge/orbit
+codesign -dr - /opt/orbit/bin/orbit/macos/edge/orbit
 ```

 The output should be similar or identical to: 

 ```
-Executable=/private/var/lib/orbit/bin/orbit/macos/edge/orbit
+Executable=/opt/orbit/bin/orbit/macos/edge/orbit
 designated => identifier "com.fleetdm.orbit" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "8VBZ3948LU"
 ```

+> **NOTE:** Depending on the version of `fleetctl` used to package and install Orbit, the executable path may be different.
+> Fleetctl versions <= 4.13.2 would install orbit to `/var/lib/orbit` instead of `/opt/orbit`.
+
 Note down the **executable path** and the entire **identifier**.

 Osqueryd will inherit the privileges from Orbit and does not need explicit permissions.
--- a/go.mod
+++ b/go.mod
@ -91,7 +91,7 @@ require (
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.1
 	github.com/temoto/robotstxt v1.1.2 // indirect
-	github.com/theupdateframework/go-tuf v0.0.0-20220121203041-e3557e322879
+	github.com/theupdateframework/go-tuf v0.2.0
 	github.com/throttled/throttled/v2 v2.8.0
 	github.com/tj/assert v0.0.3
 	github.com/ulikunitz/xz v0.5.10
--- a/go.sum
+++ b/go.sum
@ -412,6 +412,7 @@ github.com/felixge/httpsnoop v1.0.2 h1:+nS9g82KMXccJ/wp0zyRW9ZBHFETmMGtkk+2CTTrW
 github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fleetdm/goose v0.0.0-20220214194029-91b5e5eb8e77 h1:oaRSVdXLGFxX0aQa5UI8GDr6+lRiscSM40B6zl8oUKI=
 github.com/fleetdm/goose v0.0.0-20220214194029-91b5e5eb8e77/go.mod h1:d7Q+0eCENnKQUhkfAUVLfGnD4QcgJMF/uB9WRTN9TDI=
+github.com/flynn/go-docopt v0.0.0-20140912013429-f6dd2ebbb31e h1:Ss/B3/5wWRh8+emnK0++g5zQzwDTi30W10pKxKc4JXI=
 github.com/flynn/go-docopt v0.0.0-20140912013429-f6dd2ebbb31e/go.mod h1:HyVoz1Mz5Co8TFO8EupIdlcpwShBmY98dkT2xeHkvEI=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
@ -571,6 +572,8 @@ github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8l
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
+github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/gomodule/redigo v1.7.1-0.20190724094224-574c33c3df38/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4=
 github.com/gomodule/redigo v1.8.4/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
 github.com/gomodule/redigo v1.8.5 h1:nRAxCa+SVsyjSBrtZmG/cqb6VbTmuRzpg/PoTFlpumc=
@ -624,6 +627,7 @@ github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210506205249-923b5ab0fc1a/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
@ -992,14 +996,18 @@ github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo v1.16.2/go.mod h1:CObGmKUOKaSC0RjmoAK7tKyn4Azo5P2IWuoMnvwxz1E=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
+github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
+github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
 github.com/open-policy-agent/opa v0.24.0 h1:fnGOIux+TTGZsC0du1bRBtV8F+KPN55Hks12uE3Fq3E=
 github.com/open-policy-agent/opa v0.24.0/go.mod h1:qEyD/i8j+RQettHGp4f86yjrjvv+ZYia+JHCMv2G7wA=
 github.com/opencensus-integrations/ocsql v0.1.1/go.mod h1:ozPYpNVBHZsX33jfoQPO5TlI5lqh0/3R36kirEqJKAM=
@ -1109,6 +1117,8 @@ github.com/sebdah/goldie v1.0.0 h1:9GNhIat69MSlz/ndaBg48vl9dF5fI+NBB6kfOxgfkMc=
 github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4=
 github.com/secure-systems-lab/go-securesystemslib v0.3.0 h1:PH0mUKuUSXVEVDbrKMgGPcrqrnKA8gJii614+EKKi7g=
 github.com/secure-systems-lab/go-securesystemslib v0.3.0/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U=
+github.com/secure-systems-lab/go-securesystemslib v0.3.1 h1:LJuyMziazadwmQRRu1M7GMUo5S1oH1+YxU9FjuSFU8k=
+github.com/secure-systems-lab/go-securesystemslib v0.3.1/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U=
 github.com/serenize/snaker v0.0.0-20171204205717-a683aaf2d516/go.mod h1:Yow6lPLSAXx2ifx470yD/nUe22Dv5vBvxK/UK9UUTVs=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
@ -1187,12 +1197,15 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
+github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc=
 github.com/technoweenie/multipartstreamer v1.0.1 h1:XRztA5MXiR1TIRHxH2uNxXxaIkKQDeX7m2XsSOlQEnM=
 github.com/technoweenie/multipartstreamer v1.0.1/go.mod h1:jNVxdtShOxzAsukZwTSw6MDx5eUJoiEBsSvzDU9uzog=
 github.com/temoto/robotstxt v1.1.2 h1:W2pOjSJ6SWvldyEuiFXNxz3xZ8aiWX5LbfDiOFd7Fxg=
 github.com/temoto/robotstxt v1.1.2/go.mod h1:+1AmkuG3IYkh1kv0d2qEB9Le88ehNO0zwOr3ujewlOo=
 github.com/theupdateframework/go-tuf v0.0.0-20220121203041-e3557e322879 h1:UeDpdrX16scCvbdgdMsrztZsQLDofld/Zo+WGDe/PBE=
 github.com/theupdateframework/go-tuf v0.0.0-20220121203041-e3557e322879/go.mod h1:I0Gs4Tev4hYQ5wiNqN8VJ7qS0gw7KOZNQuckC624RmE=
+github.com/theupdateframework/go-tuf v0.2.0 h1:lQajPG9M03zT7CXfytRzPKC7AVaS9ndPdxu7ROJTR2A=
+github.com/theupdateframework/go-tuf v0.2.0/go.mod h1:E5XP0wXitrFUHe4b8cUcAAdxBW4LbfnqF4WXXGLgWNo=
 github.com/theupdateframework/notary v0.6.1/go.mod h1:MOfgIfmox8s7/7fduvB2xyPPMJCrjRLRizA8OFwpnKY=
 github.com/throttled/throttled/v2 v2.8.0 h1:B5VfdM8BE+ClI2Ji238SbNOTWfYcocvuAhgT27lvwrE=
 github.com/throttled/throttled/v2 v2.8.0/go.mod h1:q1QyZVQXxb2NUfJ+Hjucmlrsrz9s/jt2ilMwSMo7a2I=
@ -1473,6 +1486,7 @@ golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211007125505-59d4e928ea9d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211008194852-3b03d305991f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@ -1560,10 +1574,12 @@ golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200828194041-157a740278f4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
--- a/orbit/changes/4176-orbit-fix-selinux-permissions
+++ b/orbit/changes/4176-orbit-fix-selinux-permissions
@ -0,0 +1,2 @@
+* Change install path to /opt/orbit. Fixes a permissions issue on platforms with SELinux enabled.
+  See [fleetdm/fleet#4176](https://github.com/fleetdm/fleet/issues/4176) for more details.
--- a/orbit/cmd/orbit/orbit.go
+++ b/orbit/cmd/orbit/orbit.go
@ -36,6 +36,7 @@ import (
 )

 func main() {
+
 	app := cli.NewApp()
 	app.Name = "Orbit osquery"
 	app.Usage = "A powered-up, (near) drop-in replacement for osquery"
@ -47,7 +48,7 @@ func main() {
 		&cli.StringFlag{
 			Name:    "root-dir",
 			Usage:   "Root directory for Orbit state",
-			Value:   update.DefaultOptions.RootDirectory,
+			Value:   "", // need to check if explicitly set
 			EnvVars: []string{"ORBIT_ROOT_DIR"},
 		},
 		&cli.BoolFlag{
@ -140,6 +141,20 @@ func main() {
 			return nil
 		}

+		// handle old installations, which had default root dir set to /var/lib/orbit
+		if c.String("root-dir") == "" {
+			rootDir := update.DefaultOptions.RootDirectory
+
+			executable, err := os.Executable()
+			if err != nil {
+				return fmt.Errorf("failed to get orbit executable: %w", err)
+			}
+			if strings.HasPrefix(executable, "/var/lib/orbit") {
+				rootDir = "/var/lib/orbit"
+			}
+			c.Set("root-dir", rootDir)
+		}
+
 		var logFile io.Writer
 		if logf := c.String("log-file"); logf != "" {
 			if logDir := filepath.Dir(logf); logDir != "." {
--- a/orbit/pkg/packaging/linux_shared.go
+++ b/orbit/pkg/packaging/linux_shared.go
@ -24,11 +24,11 @@ func buildNFPM(opt Options, pkger nfpm.Packager) (string, error) {
 	}
 	defer os.RemoveAll(tmpDir)

-	filesystemRoot := filepath.Join(tmpDir, "root")
-	if err := secure.MkdirAll(filesystemRoot, constant.DefaultDirMode); err != nil {
+	rootDir := filepath.Join(tmpDir, "root")
+	if err := secure.MkdirAll(rootDir, constant.DefaultDirMode); err != nil {
 		return "", fmt.Errorf("create root dir: %w", err)
 	}
-	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "orbit")
+	orbitRoot := filepath.Join(rootDir, "opt", "orbit")
 	if err := secure.MkdirAll(orbitRoot, constant.DefaultDirMode); err != nil {
 		return "", fmt.Errorf("create orbit dir: %w", err)
 	}
@ -60,11 +60,11 @@ func buildNFPM(opt Options, pkger nfpm.Packager) (string, error) {

 	// Write files

-	if err := writeSystemdUnit(opt, filesystemRoot); err != nil {
+	if err := writeSystemdUnit(opt, rootDir); err != nil {
 		return "", fmt.Errorf("write systemd unit: %w", err)
 	}

-	if err := writeEnvFile(opt, filesystemRoot); err != nil {
+	if err := writeEnvFile(opt, rootDir); err != nil {
 		return "", fmt.Errorf("write env file: %w", err)
 	}

@ -99,13 +99,13 @@ func buildNFPM(opt Options, pkger nfpm.Packager) (string, error) {

 	contents := files.Contents{
 		&files.Content{
-			Source:      filepath.Join(filesystemRoot, "**"),
+			Source:      filepath.Join(rootDir, "**"),
 			Destination: "/",
 		},
-		// Symlink current into /var/lib/orbit/bin/orbit/orbit
+		// Symlink current into /opt/orbit/bin/orbit/orbit
 		&files.Content{
-			Source:      "/var/lib/orbit/bin/orbit/linux/" + opt.OrbitChannel + "/orbit",
-			Destination: "/var/lib/orbit/bin/orbit/orbit",
+			Source:      "/opt/orbit/bin/orbit/linux/" + opt.OrbitChannel + "/orbit",
+			Destination: "/opt/orbit/bin/orbit/orbit",
 			Type:        "symlink",
 			FileInfo: &files.ContentFileInfo{
 				Mode: constant.DefaultExecutableMode | os.ModeSymlink,
@ -113,7 +113,7 @@ func buildNFPM(opt Options, pkger nfpm.Packager) (string, error) {
 		},
 		// Symlink current into /usr/local/bin
 		&files.Content{
-			Source:      "/var/lib/orbit/bin/orbit/orbit",
+			Source:      "/opt/orbit/bin/orbit/orbit",
 			Destination: "/usr/local/bin/orbit",
 			Type:        "symlink",
 			FileInfo: &files.ContentFileInfo{
@ -121,13 +121,6 @@ func buildNFPM(opt Options, pkger nfpm.Packager) (string, error) {
 			},
 		},
 	}
-	contents, err = files.ExpandContentGlobs(contents, false)
-	if err != nil {
-		return "", fmt.Errorf("glob contents: %w", err)
-	}
-	for _, c := range contents {
-		log.Debug().Interface("file", c).Msg("added file")
-	}

 	// Add empty folders to be created.
 	for _, emptyFolder := range []string{"/var/log/osquery", "/var/log/orbit"} {
@ -137,6 +130,14 @@ func buildNFPM(opt Options, pkger nfpm.Packager) (string, error) {
 		}).WithFileInfoDefaults())
 	}

+	contents, err = files.ExpandContentGlobs(contents, false)
+	if err != nil {
+		return "", fmt.Errorf("glob contents: %w", err)
+	}
+	for _, c := range contents {
+		log.Debug().Interface("file", c).Msg("added file")
+	}
+
 	// Build package
 	info := &nfpm.Info{
 		Name:        "fleet-osquery",
@ -189,7 +190,7 @@ StartLimitIntervalSec=0
 [Service]
 TimeoutStartSec=0
 EnvironmentFile=/etc/default/orbit
-ExecStart=/var/lib/orbit/bin/orbit/orbit
+ExecStart=/opt/orbit/bin/orbit/orbit
 Restart=always
 RestartSec=1
 KillMode=control-group
@ -215,7 +216,7 @@ ORBIT_UPDATE_INTERVAL={{ .OrbitUpdateInterval }}
 {{ if .Insecure }}ORBIT_INSECURE=true{{ end }}
 {{ if .DisableUpdates }}ORBIT_DISABLE_UPDATES=true{{ end }}
 {{ if .FleetURL }}ORBIT_FLEET_URL={{.FleetURL}}{{ end }}
-{{ if .FleetCertificate }}ORBIT_FLEET_CERTIFICATE=/var/lib/orbit/fleet.pem{{ end }}
+{{ if .FleetCertificate }}ORBIT_FLEET_CERTIFICATE=/opt/orbit/fleet.pem{{ end }}
 {{ if .EnrollSecret }}ORBIT_ENROLL_SECRET={{.EnrollSecret}}{{ end }}
 {{ if .Debug }}ORBIT_DEBUG=true{{ end }}
 `))
@ -288,7 +289,7 @@ systemctl disable orbit.service
 func writePostRemove(opt Options, path string) error {
 	if err := ioutil.WriteFile(path, []byte(`#!/bin/sh

-rm -rf /var/lib/orbit /var/log/orbit /usr/local/bin/orbit /etc/default/orbit /usr/lib/systemd/system/orbit.service
+rm -rf /var/lib/orbit /var/log/orbit /usr/local/bin/orbit /etc/default/orbit /usr/lib/systemd/system/orbit.service /opt/orbit
 `), constant.DefaultFileMode); err != nil {
 		return fmt.Errorf("write file: %w", err)
 	}
--- a/orbit/pkg/packaging/macos.go
+++ b/orbit/pkg/packaging/macos.go
@ -28,11 +28,11 @@ func BuildPkg(opt Options) (string, error) {
 	}
 	defer os.RemoveAll(tmpDir)

-	filesystemRoot := filepath.Join(tmpDir, "root")
-	if err := secure.MkdirAll(filesystemRoot, constant.DefaultDirMode); err != nil {
+	rootDir := filepath.Join(tmpDir, "root")
+	if err := secure.MkdirAll(rootDir, constant.DefaultDirMode); err != nil {
 		return "", fmt.Errorf("create root dir: %w", err)
 	}
-	orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "orbit")
+	orbitRoot := filepath.Join(rootDir, "opt", "orbit")
 	if err := secure.MkdirAll(orbitRoot, constant.DefaultDirMode); err != nil {
 		return "", fmt.Errorf("create orbit dir: %w", err)
 	}
@ -91,7 +91,7 @@ func BuildPkg(opt Options) (string, error) {
 	}

 	if opt.StartService {
-		if err := writeLaunchd(opt, filesystemRoot); err != nil {
+		if err := writeLaunchd(opt, rootDir); err != nil {
 			return "", fmt.Errorf("write launchd: %w", err)
 		}
 	}
--- a/orbit/pkg/packaging/macos_templates.go
+++ b/orbit/pkg/packaging/macos_templates.go
@ -33,8 +33,8 @@ var macosDistributionTemplate = template.Must(template.New("").Option("missingke
 var macosPostinstallTemplate = template.Must(template.New("").Option("missingkey=error").Parse(
 	`#!/bin/bash

-ln -sf /var/lib/orbit/bin/orbit/macos/{{.OrbitChannel}}/orbit /var/lib/orbit/bin/orbit/orbit
-ln -sf /var/lib/orbit/bin/orbit/orbit /usr/local/bin/orbit
+ln -sf /opt/orbit/bin/orbit/macos/{{.OrbitChannel}}/orbit /opt/orbit/bin/orbit/orbit
+ln -sf /opt/orbit/bin/orbit/orbit /usr/local/bin/orbit

 {{ if .StartService -}}
 DAEMON_LABEL="com.fleetdm.orbit"
@ -74,11 +74,11 @@ var macosLaunchdTemplate = template.Must(template.New("").Option("missingkey=err
 		{{- end }}
 		{{- if .FleetCertificate }}
 		<key>ORBIT_FLEET_CERTIFICATE</key>
-		<string>/var/lib/orbit/fleet.pem</string>
+		<string>/opt/orbit/fleet.pem</string>
 		{{- end }}
 		{{- if .EnrollSecret }}
 		<key>ORBIT_ENROLL_SECRET_PATH</key>
-		<string>/var/lib/orbit/secret.txt</string>
+		<string>/opt/orbit/secret.txt</string>
 		{{- end }}
 		{{- if .FleetURL }}
 		<key>ORBIT_FLEET_URL</key>
@ -109,7 +109,7 @@ var macosLaunchdTemplate = template.Must(template.New("").Option("missingkey=err
 	<string>com.fleetdm.orbit</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/var/lib/orbit/bin/orbit/orbit</string>
+		<string>/opt/orbit/bin/orbit/orbit</string>
 	</array>
 	<key>RunAtLoad</key>
 	<true/>
--- a/orbit/pkg/packaging/packaging.go
+++ b/orbit/pkg/packaging/packaging.go
@ -185,7 +185,7 @@ func writeSecret(opt Options, orbitRoot string) error {
 		return fmt.Errorf("mkdir: %w", err)
 	}

-	if err := ioutil.WriteFile(path, []byte(opt.EnrollSecret), 0o600); err != nil {
+	if err := os.WriteFile(path, []byte(opt.EnrollSecret), constant.DefaultFileMode); err != nil {
 		return fmt.Errorf("write file: %w", err)
 	}

@ -193,18 +193,18 @@ func writeSecret(opt Options, orbitRoot string) error {
 }

 func writeOsqueryFlagfile(opt Options, orbitRoot string) error {
-	dstPath := filepath.Join(orbitRoot, "osquery.flags")
+	path := filepath.Join(orbitRoot, "osquery.flags")

 	if opt.OsqueryFlagfile == "" {
 		// Write empty flagfile
-		if err := os.WriteFile(dstPath, []byte(""), constant.DefaultFileMode); err != nil {
+		if err := os.WriteFile(path, []byte(""), constant.DefaultFileMode); err != nil {
 			return fmt.Errorf("write empty flagfile: %w", err)
 		}

 		return nil
 	}

-	if err := file.Copy(opt.OsqueryFlagfile, dstPath, constant.DefaultFileMode); err != nil {
+	if err := file.Copy(opt.OsqueryFlagfile, path, constant.DefaultFileMode); err != nil {
 		return fmt.Errorf("copy flagfile: %w", err)
 	}

@ -217,9 +217,12 @@ func writeOsqueryFlagfile(opt Options, orbitRoot string) error {
 var osqueryCerts []byte

 func writeOsqueryCertPEM(opt Options, orbitRoot string) error {
-	dstPath := filepath.Join(orbitRoot, "certs.pem")
+	path := filepath.Join(orbitRoot, "certs.pem")
+	if err := secure.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil {
+		return fmt.Errorf("mkdir: %w", err)
+	}

-	if err := ioutil.WriteFile(dstPath, osqueryCerts, 0o644); err != nil {
+	if err := os.WriteFile(path, osqueryCerts, 0o644); err != nil {
 		return fmt.Errorf("write file: %w", err)
 	}

--- a/orbit/pkg/update/options_darwin.go
+++ b/orbit/pkg/update/options_darwin.go
@ -5,7 +5,7 @@ import (
 )

 var defaultOptions = Options{
-	RootDirectory:     "/var/lib/orbit",
+	RootDirectory:     "/opt/orbit",
 	ServerURL:         defaultURL,
 	RootKeys:          defaultRootKeys,
 	LocalStore:        client.MemoryLocalStore(),
--- a/orbit/pkg/update/options_linux.go
+++ b/orbit/pkg/update/options_linux.go
@ -5,7 +5,7 @@ import (
 )

 var defaultOptions = Options{
-	RootDirectory:     "/var/lib/orbit",
+	RootDirectory:     "/opt/orbit",
 	ServerURL:         defaultURL,
 	RootKeys:          defaultRootKeys,
 	LocalStore:        client.MemoryLocalStore(),
--- a/orbit/tools/cleanup/cleanup_linux.sh
+++ b/orbit/tools/cleanup/cleanup_linux.sh
@ -3,4 +3,4 @@
 sudo systemctl stop orbit.service
 sudo systemctl disable orbit.service

-sudo rm -rf /var/lib/orbit /var/log/orbit /usr/local/bin/orbit /etc/default/orbit /usr/lib/systemd/system/orbit.service
+sudo rm -rf /var/lib/orbit /opt/orbit /var/log/orbit /usr/local/bin/orbit /etc/default/orbit /usr/lib/systemd/system/orbit.service /opt/orbit
--- a/orbit/tools/cleanup/cleanup_macos.sh
+++ b/orbit/tools/cleanup/cleanup_macos.sh
@ -4,4 +4,4 @@ sudo launchctl stop com.fleetdm.orbit
 sudo launchctl unload /Library/LaunchDaemons/com.fleetdm.orbit.plist

 sudo pkill fleet-desktop || true
-sudo rm -rf /Library/LaunchDaemons/com.fleetdm.orbit.plist /var/lib/orbit/ /usr/local/bin/orbit /var/log/orbit
+sudo rm -rf /Library/LaunchDaemons/com.fleetdm.orbit.plist /var/lib/orbit/ /usr/local/bin/orbit /var/log/orbit /opt/orbit/