Bug 1945968 - dscontainer fails with rootless podman (wrong SELinux relabeling)
Summary: dscontainer fails with rootless podman (wrong SELinux relabeling)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: 389-ds
Version: 34
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: mreynolds
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-03 04:16 UTC by ivanov17
Modified: 2021-11-04 18:14 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-04 18:14:01 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Build log (79.98 KB, text/plain)
2021-04-03 04:16 UTC, ivanov17
no flags Details

Description ivanov17 2021-04-03 04:16:23 UTC
Created attachment 1768709 [details]
Build log

Description of problem:

If I run custom 389-ds container based on fedora33 image with rootless podman, SELinux prevents dscontainer from relabelto access on the file slapd-collations.conf and dscontainer script fails.

In addition, I tried to run containers from a custom image based on quay.io/centos/centos:stream8 and from the image docker.io/389ds/dirsrv:latest provided by one of 389ds developers, and I got the same result both times.

I believe it's python3-lib389 issue because /usr/libexec/dirsrv/dscontainer tries to relabel files inside a container.

Also, I reported this bug at 389ds GitHub Issues: https://github.com/389ds/389-ds-base/issues/4714

Version-Release number of selected component (if applicable):

389-ds-base-1.4.4.14-1.fc33.x86_64
python3-lib389-1.4.4.14-1.fc33.x86_64

How reproducible: always

Steps to Reproduce:

1. Create a 389-ds container image with buildah from quay.io/fedora/fedora:33-x86_64
2. Run a 389-ds container with podman in rootless mode

Actual results:

$ podman run -dt --volume=389ds:/data:z --publish=3389:3389 --publish=3636:3636 --env='DS_DM_PASSWORD=pass' --env='LDAPBASE=dc=test,dc=internal' --env='LDAPBINDDN=cn="Directory Manager"' --health-cmd="/usr/libexec/dirsrv/dscontainer -H"  --health-interval=5s --health-retries=2 --health-start-period=5m --health-timeout=5s localhost/fedora33-389-ds:1.4 
0f0be61f8cda1de91af557cfe3f4be02c6586efedf1f97a50f1ac95ff193d2e3

$ podman ps -a
CONTAINER ID  IMAGE                          COMMAND               CREATED         STATUS                     PORTS                                           NAMES
0f0be61f8cda  localhost/fedora33-389-ds:1.4  /usr/libexec/dirs...  34 seconds ago  Exited (1) 34 seconds ago  0.0.0.0:3389->3389/tcp, 0.0.0.0:3636->3636/tcp  cool_mendel

$ podman logs cool_mendel 
/usr/libexec/dirsrv/dscontainer:435: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if begin_healthcheck(None) is (False, True):
INFO: The 389 Directory Server Container Bootstrap
INFO: Inspired by works of: ITS, The University of Adelaide
INFO: 389 Directory Server Version: 1.4.4.14
INFO: Initialising 389-ds-container due to empty volume ...
DEBUG: Running setup with verbose
DEBUG: START: Starting installation...
DEBUG: READY: Preparing installation for localhost...
DEBUG: PASSED: using config settings 999999999
DEBUG: PASSED: user / group checking
DEBUG: PASSED: prefix checking
DEBUG: list instance not found in /etc/dirsrv/slapd-localhost/dse.ldif: localhost

DEBUG: PASSED: instance checking
DEBUG: INFO: temp root password set to .yYje6mp9T3XQoJSTo.g5WGSJ7vnZV11cEmybfM24DpjsPkKX.H19mIXXUyU9Ovlc
DEBUG: PASSED: root user checking
DEBUG: PASSED: network avaliability checking
DEBUG: READY: Beginning installation for localhost...
DEBUG: ACTION: Creating dse.ldif
DEBUG: ACTION: creating /data/bak
DEBUG: ACTION: creating /etc/dirsrv/slapd-localhost
DEBUG: ACTION: creating /data/db
DEBUG: ACTION: creating /data/ldif
DEBUG: ACTION: creating /data/run/lock
DEBUG: ACTION: creating /data/logs
DEBUG: ACTION: creating /data/run
Traceback (most recent call last):
  File "/usr/libexec/dirsrv/dscontainer", line 433, in <module>
    begin_magic()
  File "/usr/libexec/dirsrv/dscontainer", line 266, in begin_magic
    if not sds.create_from_args(g2b.collect(), s2b.collect()):
  File "/usr/lib/python3.9/site-packages/lib389/instance/setup.py", line 674, in create_from_args
    self._install_ds(general, slapd, backends)
  File "/usr/lib/python3.9/site-packages/lib389/instance/setup.py", line 796, in _install_ds
    shutil.copy2(srcfile, dstfile)
  File "/usr/lib64/python3.9/shutil.py", line 436, in copy2
    copystat(src, dst, follow_symlinks=follow_symlinks)
  File "/usr/lib64/python3.9/shutil.py", line 379, in copystat
    _copyxattr(src, dst, follow_symlinks=follow)
  File "/usr/lib64/python3.9/shutil.py", line 329, in _copyxattr
    os.setxattr(dst, name, value, follow_symlinks=follow_symlinks)
PermissionError: [Errno 13] Permission denied: '/etc/dirsrv/slapd-localhost/slapd-collations.conf'


# ausearch -m avc -c dscontainer
----
time->Sat Apr  3 06:21:09 2021
type=AVC msg=audit(1617420069.924:2667): avc:  denied  { relabelto } for  pid=145082 comm="dscontainer" name="99user.ldif" dev="dm-2" ino=10921724 scontext=system_u:system_r:container_t:s0:c314,c598 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0
----
time->Sat Apr  3 06:21:09 2021
type=AVC msg=audit(1617420069.925:2668): avc:  denied  { relabelto } for  pid=145082 comm="dscontainer" name="slapd-collations.conf" dev="dm-2" ino=24454300 scontext=system_u:system_r:container_t:s0:c314,c598 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0


Expected results:

dscontainer shouldn't relabel files created in container's volume.

Additional info:

$ cat fedora33-389-ds.sh
#!/usr/bin/env bash
# See also https://build.opensuse.org/package/view_file/home:firstyear/389-ds-container/Dockerfile
set -x
image=$(buildah from quay.io/fedora/fedora:33-x86_64)
buildah run "$image" -- dnf -y install --setopt=install_weak_deps=False \
        389-ds-base python3-lib389
buildah run "$image" -- dnf -y clean all
buildah run "$image" -- mkdir -p /data/{config,ssca,run} /var/run/dirsrv
buildah run "$image" -- ln -s /data/config /etc/dirsrv/slapd-localhost
buildah run "$image" -- ln -s /data/ssca /etc/dirsrv/ssca
buildah run "$image" -- ln -s /data/run /var/run/dirsrv
buildah config --volume /data --port 3389 --port 3636 \
        --cmd "/usr/libexec/dirsrv/dscontainer -r" "$image"
buildah commit "$image" "fedora33-389-ds:1.4"
buildah rm "$image"
set +x

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

$ podman --version
podman version 3.0.1

$ uname -r
5.11.10-200.fc33.x86_64

Comment 1 Ben Cotton 2021-11-04 14:47:30 UTC
This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 2 Ben Cotton 2021-11-04 15:45:48 UTC
This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 3 Viktor Ashirov 2021-11-04 18:14:01 UTC
I believe this is fixed in https://github.com/389ds/389-ds-base/issues/4714 
Builds containing fixes should be available in F34 and F35.

Please reopen if the problem still persists.


Note You need to log in before you can comment on or make changes to this bug.