From 202696e3c4de9ffa89281b450ed7cfb61ba9e84a Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jan.pazdziora@code.adelton.com>
Date: Mon, 30 Dec 2024 19:33:07 +0100
Subject: [PATCH] Workaround
 https://bugzilla.redhat.com/show_bug.cgi?id=2334087.

The cap_dac_read_search is not among default capabilities in containers,
so cap_dac_override is needed.
---
 src/Dockerfile.client       | 6 ++++++
 src/Dockerfile.idp          | 6 ++++++
 src/Dockerfile.www          | 6 ++++++
 src/Dockerfile.www-with-app | 6 ++++++
 4 files changed, 24 insertions(+)

diff --git a/src/Dockerfile.client b/src/Dockerfile.client
index 77644c0..ebf4046 100644
--- a/src/Dockerfile.client
+++ b/src/Dockerfile.client
@@ -2,6 +2,12 @@ FROM registry.fedoraproject.org/fedora:41
 RUN dnf install -y /usr/sbin/ipa-client-install openssh-server xauth firefox dejavu-sans-fonts dejavu-sans-mono-fonts /usr/bin/xargs python3-xvfbwrapper python3-selenium python3-legacy-cgi xorg-x11-server-Xvfb && dnf clean all
 RUN curl -LO https://github.com/mozilla/geckodriver/releases/download/v0.34.0/geckodriver-v0.34.0-linux64.tar.gz
 RUN tar xvzf geckodriver-v0.34.0-linux64.tar.gz && mv geckodriver /usr/local/bin/
+
+# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
+RUN mkdir /usr/lib/systemd/system/sssd.service.d
+RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
+RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child
+
 COPY init-data ipa-client-enroll populate-data-volume setup-authorized-keys /usr/sbin/
 
 COPY http-klist-kinit-kpasswd http-server /usr/local/bin/
diff --git a/src/Dockerfile.idp b/src/Dockerfile.idp
index 477b3ad..b08da3f 100644
--- a/src/Dockerfile.idp
+++ b/src/Dockerfile.idp
@@ -1,5 +1,11 @@
 FROM registry.fedoraproject.org/fedora:41
 RUN dnf install -y /usr/sbin/ipa-client-install /usr/sbin/ipsilon-server-install ipsilon-authform ipsilon-saml2 ipsilon-openidc ipsilon-infosssd sqlite openssl && dnf clean all
+
+# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
+RUN mkdir /usr/lib/systemd/system/sssd.service.d
+RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
+RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child
+
 COPY init-data ipa-client-enroll ipsilon-server-configure ipsilon-server-wait-for-sp populate-data-volume /usr/sbin/
 COPY ipa-client-enroll.service ipsilon-server-configure.service ipsilon-server-wait-for-sp.service populate-data-volume.service /usr/lib/systemd/system/
 RUN ln -s /usr/lib/systemd/system/ipa-client-enroll.service /usr/lib/systemd/system/default.target.wants/
diff --git a/src/Dockerfile.www b/src/Dockerfile.www
index ead5a62..b09bc53 100644
--- a/src/Dockerfile.www
+++ b/src/Dockerfile.www
@@ -1,5 +1,11 @@
 FROM registry.fedoraproject.org/fedora:41
 RUN dnf install -y /usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsilon-saml2 httpd mod_ssl mod_auth_gssapi mod_auth_openidc mod_intercept_form_submit mod_lookup_identity sssd-dbus /usr/bin/xargs openssl && dnf clean all
+
+# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
+RUN mkdir /usr/lib/systemd/system/sssd.service.d
+RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
+RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child
+
 COPY init-data ipa-client-enroll ipsilon-client-configure populate-data-volume www-setup-apache /usr/sbin/
 COPY ipa-client-enroll.service ipsilon-client-configure.service populate-data-volume.service www-setup-apache.service /usr/lib/systemd/system/
 RUN ln -s /usr/lib/systemd/system/ipa-client-enroll.service /usr/lib/systemd/system/default.target.wants/
diff --git a/src/Dockerfile.www-with-app b/src/Dockerfile.www-with-app
index 41e3e0a..dc3c3f5 100644
--- a/src/Dockerfile.www-with-app
+++ b/src/Dockerfile.www-with-app
@@ -1,5 +1,11 @@
 FROM registry.fedoraproject.org/fedora:41
 RUN dnf install -y /usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsilon-saml2 httpd mod_ssl mod_auth_gssapi mod_intercept_form_submit mod_lookup_identity sssd-dbus /usr/bin/xargs /usr/bin/systemd-tmpfiles openssl && dnf clean all
+
+# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087
+RUN mkdir /usr/lib/systemd/system/sssd.service.d
+RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf
+RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child
+
 COPY init-data ipa-client-enroll ipsilon-client-configure populate-data-volume www-setup-apache /usr/sbin/
 COPY ipa-client-enroll.service ipsilon-client-configure.service populate-data-volume.service www-setup-apache.service /usr/lib/systemd/system/
 RUN ln -s /usr/lib/systemd/system/ipa-client-enroll.service /usr/lib/systemd/system/default.target.wants/