Created attachment 1768709 [details] Build log Description of problem: If I run custom 389-ds container based on fedora33 image with rootless podman, SELinux prevents dscontainer from relabelto access on the file slapd-collations.conf and dscontainer script fails. In addition, I tried to run containers from a custom image based on quay.io/centos/centos:stream8 and from the image docker.io/389ds/dirsrv:latest provided by one of 389ds developers, and I got the same result both times. I believe it's python3-lib389 issue because /usr/libexec/dirsrv/dscontainer tries to relabel files inside a container. Also, I reported this bug at 389ds GitHub Issues: https://github.com/389ds/389-ds-base/issues/4714 Version-Release number of selected component (if applicable): 389-ds-base-1.4.4.14-1.fc33.x86_64 python3-lib389-1.4.4.14-1.fc33.x86_64 How reproducible: always Steps to Reproduce: 1. Create a 389-ds container image with buildah from quay.io/fedora/fedora:33-x86_64 2. Run a 389-ds container with podman in rootless mode Actual results: $ podman run -dt --volume=389ds:/data:z --publish=3389:3389 --publish=3636:3636 --env='DS_DM_PASSWORD=pass' --env='LDAPBASE=dc=test,dc=internal' --env='LDAPBINDDN=cn="Directory Manager"' --health-cmd="/usr/libexec/dirsrv/dscontainer -H" --health-interval=5s --health-retries=2 --health-start-period=5m --health-timeout=5s localhost/fedora33-389-ds:1.4 0f0be61f8cda1de91af557cfe3f4be02c6586efedf1f97a50f1ac95ff193d2e3 $ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 0f0be61f8cda localhost/fedora33-389-ds:1.4 /usr/libexec/dirs... 34 seconds ago Exited (1) 34 seconds ago 0.0.0.0:3389->3389/tcp, 0.0.0.0:3636->3636/tcp cool_mendel $ podman logs cool_mendel /usr/libexec/dirsrv/dscontainer:435: SyntaxWarning: "is" with a literal. Did you mean "=="? if begin_healthcheck(None) is (False, True): INFO: The 389 Directory Server Container Bootstrap INFO: Inspired by works of: ITS, The University of Adelaide INFO: 389 Directory Server Version: 1.4.4.14 INFO: Initialising 389-ds-container due to empty volume ... DEBUG: Running setup with verbose DEBUG: START: Starting installation... DEBUG: READY: Preparing installation for localhost... DEBUG: PASSED: using config settings 999999999 DEBUG: PASSED: user / group checking DEBUG: PASSED: prefix checking DEBUG: list instance not found in /etc/dirsrv/slapd-localhost/dse.ldif: localhost DEBUG: PASSED: instance checking DEBUG: INFO: temp root password set to .yYje6mp9T3XQoJSTo.g5WGSJ7vnZV11cEmybfM24DpjsPkKX.H19mIXXUyU9Ovlc DEBUG: PASSED: root user checking DEBUG: PASSED: network avaliability checking DEBUG: READY: Beginning installation for localhost... DEBUG: ACTION: Creating dse.ldif DEBUG: ACTION: creating /data/bak DEBUG: ACTION: creating /etc/dirsrv/slapd-localhost DEBUG: ACTION: creating /data/db DEBUG: ACTION: creating /data/ldif DEBUG: ACTION: creating /data/run/lock DEBUG: ACTION: creating /data/logs DEBUG: ACTION: creating /data/run Traceback (most recent call last): File "/usr/libexec/dirsrv/dscontainer", line 433, in <module> begin_magic() File "/usr/libexec/dirsrv/dscontainer", line 266, in begin_magic if not sds.create_from_args(g2b.collect(), s2b.collect()): File "/usr/lib/python3.9/site-packages/lib389/instance/setup.py", line 674, in create_from_args self._install_ds(general, slapd, backends) File "/usr/lib/python3.9/site-packages/lib389/instance/setup.py", line 796, in _install_ds shutil.copy2(srcfile, dstfile) File "/usr/lib64/python3.9/shutil.py", line 436, in copy2 copystat(src, dst, follow_symlinks=follow_symlinks) File "/usr/lib64/python3.9/shutil.py", line 379, in copystat _copyxattr(src, dst, follow_symlinks=follow) File "/usr/lib64/python3.9/shutil.py", line 329, in _copyxattr os.setxattr(dst, name, value, follow_symlinks=follow_symlinks) PermissionError: [Errno 13] Permission denied: '/etc/dirsrv/slapd-localhost/slapd-collations.conf' # ausearch -m avc -c dscontainer ---- time->Sat Apr 3 06:21:09 2021 type=AVC msg=audit(1617420069.924:2667): avc: denied { relabelto } for pid=145082 comm="dscontainer" name="99user.ldif" dev="dm-2" ino=10921724 scontext=system_u:system_r:container_t:s0:c314,c598 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0 ---- time->Sat Apr 3 06:21:09 2021 type=AVC msg=audit(1617420069.925:2668): avc: denied { relabelto } for pid=145082 comm="dscontainer" name="slapd-collations.conf" dev="dm-2" ino=24454300 scontext=system_u:system_r:container_t:s0:c314,c598 tcontext=system_u:object_r:fusefs_t:s0 tclass=file permissive=0 Expected results: dscontainer shouldn't relabel files created in container's volume. Additional info: $ cat fedora33-389-ds.sh #!/usr/bin/env bash # See also https://build.opensuse.org/package/view_file/home:firstyear/389-ds-container/Dockerfile set -x image=$(buildah from quay.io/fedora/fedora:33-x86_64) buildah run "$image" -- dnf -y install --setopt=install_weak_deps=False \ 389-ds-base python3-lib389 buildah run "$image" -- dnf -y clean all buildah run "$image" -- mkdir -p /data/{config,ssca,run} /var/run/dirsrv buildah run "$image" -- ln -s /data/config /etc/dirsrv/slapd-localhost buildah run "$image" -- ln -s /data/ssca /etc/dirsrv/ssca buildah run "$image" -- ln -s /data/run /var/run/dirsrv buildah config --volume /data --port 3389 --port 3636 \ --cmd "/usr/libexec/dirsrv/dscontainer -r" "$image" buildah commit "$image" "fedora33-389-ds:1.4" buildah rm "$image" set +x $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 $ podman --version podman version 3.0.1 $ uname -r 5.11.10-200.fc33.x86_64
This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
I believe this is fixed in https://github.com/389ds/389-ds-base/issues/4714 Builds containing fixes should be available in F34 and F35. Please reopen if the problem still persists.