Description of problem: I'm trying to create an instance under non-root user, I see the following messages: Non privileged user cannot use semanage, will not relabel ports or files. Perform SELinux labeling ... ... Even though non-privileged user can't run semanage, dscreate still tries to run it. This was fixed in https://github.com/389ds/389-ds-base/commit/199ec65576b4d27351327e9eb02ebcce5e7a36f7 Version-Release number of selected component (if applicable): 389-ds-base-2.1.5-4.module+el9dsrv+16995+8a75ed16.x86_64 How reproducible: always Steps to Reproduce: $ mkdir -p bin $ dscreate ds-root $HOME/test $HOME/bin $ cat /tmp/inst.inf [general] [slapd] instance_name = localhost root_password = password [backend-userroot] create_suffix_entry = True sample_entries = yes suffix = dc=example,dc=com $ hash -r $ dscreate from-file /tmp/inst.inf Actual results: Starting installation ... Validate installation settings ... Create file system structures ... Create self-signed certificate database ... Non privileged user cannot use semanage, will not relabel ports or files. Perform SELinux labeling ... setxattr failed: /home/user/test/var/lib/dirsrv/slapd-localhost/bak: Operation not permitted setxattr failed: /home/user/test/etc/dirsrv/slapd-localhost: Operation not permitted setxattr failed: /home/user/test/etc/dirsrv/slapd-localhost/schema: Operation not permitted setxattr failed: /home/user/test/etc/dirsrv/slapd-localhost: Operation not permitted setxattr failed: /home/user/test/etc/dirsrv/slapd-localhost/schema: Operation not permitted setxattr failed: /home/user/test/var/lib/dirsrv/slapd-localhost/db: Operation not permitted setxattr failed: /home/user/test/var/lib/dirsrv/slapd-localhost/ldif: Operation not permitted setxattr failed: /home/user/test/run/lock/dirsrv/slapd-localhost: Operation not permitted setxattr failed: /home/user/test/var/log/dirsrv/slapd-localhost: Operation not permitted setxattr failed: /home/user/test/dev/shm/slapd-localhost: Operation not permitted setxattr failed: /home/user/test/run/dirsrv: Operation not permitted setxattr failed: /home/user/test/etc/dirsrv/slapd-localhost/schema: Operation not permitted setxattr failed: /home/user/test/tmp: Operation not permitted Non privileged user cannot use semanage, will not relabel ports or files. Expected results: dscreate should not relabel directories under non-root user. Additional info:
It is a template issue: Should disable selinux when creating the instance Should also select port that can be open by the user A correct template would be: [general] selinux = False [slapd] instance_name = localhost root_password = password port = 1389 secure_port = 1636 [backend-userroot] create_suffix_entry = True sample_entries = yes suffix = dc=example,dc=com
Now it may also be interesting to see if we can change dscreate interactive/from-template default values when the user is not root
Even with selinux = True in the template we should check for selinux_present(). Problem occurs in interactive mode too. You did fix this in https://github.com/389ds/389-ds-base/blob/a8ae34212fb0f3f8a79b1d1342d5641e65883d0b/src/lib389/lib389/instance/setup.py#L949, so we should backport it too.
The fix [1] for that BZ came along [2] [1] https://github.com/389ds/389-ds-base/blob/a8ae34212fb0f3f8a79b1d1342d5641e65883d0b/src/lib389/lib389/instance/setup.py#L949 [2] https://github.com/389ds/389-ds-base/issues/4592
============================================================================================================ test session starts ============================================================================================================= platform linux -- Python 3.9.14, pytest-7.3.1, pluggy-0.13.1 -- /usr/bin/python3 cachedir: .pytest_cache metadata: {'Python': '3.9.14', 'Platform': 'Linux-5.14.0-162.23.1.el9_1.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '7.3.1', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '3.0.0', 'html': '3.2.0', 'libfaketime': '0.1.2', 'flaky': '3.7.0'}} 389-ds-base: 2.1.8-1.module+el9dsrv+18377+a10e6f72 nss: 3.79.0-17.el9_1 nspr: 4.34.0-17.el9_1 openldap: 2.6.2-3.el9 cyrus-sasl: 2.1.27-20.el9 FIPS: disabled rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests configfile: pytest.ini plugins: metadata-3.0.0, html-3.2.0, libfaketime-0.1.2, flaky-3.7.0 collected 7 items dirsrvtests/tests/suites/setup_ds/dscreate_test.py::test_setup_ds_minimal_dry PASSED [ 14%] dirsrvtests/tests/suites/setup_ds/dscreate_test.py::test_setup_ds_minimal PASSED [ 28%] dirsrvtests/tests/suites/setup_ds/dscreate_test.py::test_setup_ds_custom_db_dir PASSED [ 42%] dirsrvtests/tests/suites/setup_ds/dscreate_test.py::test_setup_ds_as_non_root PASSED [ 57%] dirsrvtests/tests/suites/setup_ds/dscreate_test.py::test_setup_ds_as_non_root_with_non_canonic_paths PASSED [ 71%] dirsrvtests/tests/suites/setup_ds/dscreate_test.py::test_setup_ds_as_non_root_with_default_options PASSED [ 85%] dirsrvtests/tests/suites/setup_ds/dscreate_test.py::test_dscreate_non_root_defaults PASSED [100%] ================================================================================================= 7 passed, 2 warnings in 115.82s (0:01:55) ================================================================================================== Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: redhat-ds:12 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:3489