Bug 2149967

Summary: SELinux labeling for dirsrv files seen during ipa install/uninstall should be moved to DEBUG.
Product: Red Hat Enterprise Linux 8 Reporter: Sudhir Menon <sumenon>
Component: 389-ds-baseAssignee: mreynolds
Status: MODIFIED --- QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 8.8CC: abokovoy, frenaud, idm-ds-dev-bugs, mreynolds, rcritten, tscherf, vashirov
Target Milestone: rcKeywords: Triaged
Target Release: 8.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-1.4-820230816162424-17499975 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sudhir Menon 2022-12-01 13:32:15 UTC 
Description of problem: SELinux labeling for dirsrv files seen during ipa install should be moved to DEBUG.

Version-Release number of selected component (if applicable):
ipa-server-4.9.10-8.module+el8.8.0+17351+9a3fb056.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IPA server. Check the message displayed on the console.
2. Uninstall IPA server

Actual results:

---IPA Install---
Perform SELinux labeling ...
Setting label dirsrv_var_lib_t in seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/bak.
Setting label dirsrv_config_t in seLinux file context /etc/dirsrv/slapd-TESTRELM-TEST.
Setting label dirsrv_var_lib_t in seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/db.
Setting label dirsrv_var_lib_t in seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif.
Setting label dirsrv_var_lock_t in seLinux file context /var/run/lock/dirsrv/slapd-TESTRELM-TEST.
Setting label dirsrv_var_log_t in seLinux file context /var/log/dirsrv/slapd-TESTRELM-TEST.
Setting label dirsrv_tmpfs_t in seLinux file context /dev/shm/slapd-TESTRELM-TEST.
Setting label dirsrv_var_run_t in seLinux file context /var/run/dirsrv.
Setting label dirsrv_config_t in seLinux file context /etc/dirsrv/slapd-TESTRELM-TEST/schema.

---IPA Uninstall---
Unconfiguring directory server
Removing seLinux file context /dev/shm/slapd-TESTRELM-TEST with label dirsrv_tmpfs_t.
Removing seLinux file context /etc/dirsrv/slapd-TESTRELM-TEST with label dirsrv_config_t.
Removing seLinux file context /etc/dirsrv/slapd-TESTRELM-TEST/schema with label dirsrv_config_t.
Removing seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/bak with label dirsrv_var_lib_t.
Removing seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/db with label dirsrv_var_lib_t.
Removing seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif with label dirsrv_var_lib_t.
Removing seLinux file context /var/log/dirsrv/slapd-TESTRELM-TEST with label dirsrv_var_log_t.
Removing seLinux file context /var/run/dirsrv with label dirsrv_var_run_t.
Removing seLinux file context /var/run/lock/dirsrv/slapd-TESTRELM-TEST with label dirsrv_var_lock_t.

Expected results:
The above information should be part of DEBUG rather than INFO.

Additional info:
Comment 1 Alexander Bokovoy 2022-12-01 13:39:28 UTC 
Any reason why it should be under 'debug'?

It is generated by the 389-ds code as a part of other operations. We have no control of the level here. If we'd move the whole output that 389-ds generates to DEBUG, it will apply to every single line, not just these ones.

I think it is either an invalid request or it should be moved to 389-ds.
Comment 2 Rob Crittenden 2022-12-01 13:49:32 UTC 
Yes, seems like a side-effect of a change in 389-ds. Re-assigning component to see if there is a way to suppress this output.
Comment 3 Florence Blanc-Renaud 2022-12-01 13:52:35 UTC 
The root cause is here:
https://github.com/389ds/389-ds-base/blob/389-ds-base-1.4.3/src/lib389/lib389/utils.py#L283-L312
            log.info(f"Setting label {label} in seLinux file context {path}.")

Note that in the main branch, the message is logged with debug level instead of info level:
https://github.com/389ds/389-ds-base/blob/main/src/lib389/lib389/utils.py#L288-L317
            log.debug(f"Setting label {label} in SELinux file context {path}.")
Comment 4 Viktor Ashirov 2023-07-19 14:21:40 UTC 
This was fixed as part of https://github.com/389ds/389-ds-base/pull/5525, perhaps a separate backport just for log messages should be done.
Comment 5 Viktor Ashirov 2023-07-24 15:21:28 UTC 
Mark, I'm still seeing this in 389-ds-base-1.4.3.36-1.module+el8.9.0+19111+92b42fe2.x86_64:

# grep -i log.info /usr/lib/python3.6/site-packages/lib389/utils.py | grep -i selinux
            log.info('selinux is disabled, will not relabel ports or files.' )
        log.info(f"Removing seLinux file context {path} with label {local[path]}.")
            log.info(f"Setting label {label} in seLinux file context {path}.")