Description of problem: SELinux labeling for dirsrv files seen during ipa install should be moved to DEBUG. Version-Release number of selected component (if applicable): ipa-server-4.9.10-8.module+el8.8.0+17351+9a3fb056.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA server. Check the message displayed on the console. 2. Uninstall IPA server Actual results: ---IPA Install--- Perform SELinux labeling ... Setting label dirsrv_var_lib_t in seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/bak. Setting label dirsrv_config_t in seLinux file context /etc/dirsrv/slapd-TESTRELM-TEST. Setting label dirsrv_var_lib_t in seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/db. Setting label dirsrv_var_lib_t in seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif. Setting label dirsrv_var_lock_t in seLinux file context /var/run/lock/dirsrv/slapd-TESTRELM-TEST. Setting label dirsrv_var_log_t in seLinux file context /var/log/dirsrv/slapd-TESTRELM-TEST. Setting label dirsrv_tmpfs_t in seLinux file context /dev/shm/slapd-TESTRELM-TEST. Setting label dirsrv_var_run_t in seLinux file context /var/run/dirsrv. Setting label dirsrv_config_t in seLinux file context /etc/dirsrv/slapd-TESTRELM-TEST/schema. ---IPA Uninstall--- Unconfiguring directory server Removing seLinux file context /dev/shm/slapd-TESTRELM-TEST with label dirsrv_tmpfs_t. Removing seLinux file context /etc/dirsrv/slapd-TESTRELM-TEST with label dirsrv_config_t. Removing seLinux file context /etc/dirsrv/slapd-TESTRELM-TEST/schema with label dirsrv_config_t. Removing seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/bak with label dirsrv_var_lib_t. Removing seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/db with label dirsrv_var_lib_t. Removing seLinux file context /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif with label dirsrv_var_lib_t. Removing seLinux file context /var/log/dirsrv/slapd-TESTRELM-TEST with label dirsrv_var_log_t. Removing seLinux file context /var/run/dirsrv with label dirsrv_var_run_t. Removing seLinux file context /var/run/lock/dirsrv/slapd-TESTRELM-TEST with label dirsrv_var_lock_t. Expected results: The above information should be part of DEBUG rather than INFO. Additional info:
Any reason why it should be under 'debug'? It is generated by the 389-ds code as a part of other operations. We have no control of the level here. If we'd move the whole output that 389-ds generates to DEBUG, it will apply to every single line, not just these ones. I think it is either an invalid request or it should be moved to 389-ds.
Yes, seems like a side-effect of a change in 389-ds. Re-assigning component to see if there is a way to suppress this output.
The root cause is here: https://github.com/389ds/389-ds-base/blob/389-ds-base-1.4.3/src/lib389/lib389/utils.py#L283-L312 log.info(f"Setting label {label} in seLinux file context {path}.") Note that in the main branch, the message is logged with debug level instead of info level: https://github.com/389ds/389-ds-base/blob/main/src/lib389/lib389/utils.py#L288-L317 log.debug(f"Setting label {label} in SELinux file context {path}.")
This was fixed as part of https://github.com/389ds/389-ds-base/pull/5525, perhaps a separate backport just for log messages should be done.
Mark, I'm still seeing this in 389-ds-base-1.4.3.36-1.module+el8.9.0+19111+92b42fe2.x86_64: # grep -i log.info /usr/lib/python3.6/site-packages/lib389/utils.py | grep -i selinux log.info('selinux is disabled, will not relabel ports or files.' ) log.info(f"Removing seLinux file context {path} with label {local[path]}.") log.info(f"Setting label {label} in seLinux file context {path}.")