This is a recreation of this downstream issue: fedora/ostree/sig#89 Moving it here at request from commenter. See their comment for additional investigation they did: https://gitlab.com/fedora/ostree/sig/-/issues/89#note_2753522575 --- ## Context: I'm trying to build a custom atomic image based on the U-Blue Bazzite image and I'm having issues getting the `freeipa-client` package to work. I was able to determine that the issue I'm having is because the `/usr/libexec/sssd/selinux_child` binary is not owned by the sssd group (it is owned by `root:root`). This file is installed by the `sssd-ipa` package, and when installed through `rpm-ostree` layering and other methods that package does correctly install the `selinux_child`. ## Debugging: I was able to walk up the bootc container layers up to the `quay.io/fedora-ostree-desktops/base-atomic:42` image, so this is not a problem specific to U-Blue/Bazzite but rather the base Fedora atomic images (or the `sssd-ipa` package but I'm not sure why this specific package doesn't work when the other `sssd*` packages do seem to work). When running inside that container (I'm using `podman` 5.6.1) one can run: ```bash dnf install -y sssd-ipa ``` and it installs (`sssd-ipa-0:2.11.1-1.fc42.x86_64`) with the following warning: ``` >>> [RPM] group sssd does not exist - using root >>> [RPM] user sssd does not exist - using root >>> [RPM] group sssd does not exist - using root ``` upon inspection of `/usr/libexec/sssd/selinux_child` it is indeed owned by `root:root` and not `root:sssd` like it should. I've checked that the `sssd` group does exist, and in fact other files under `/usr/libexec/sssd/` are owned by `root:sssd` so it should work. This same error is also seen when built from a `Containerfile` in a Github action run so I don't think it is specific to my local `podman`. I'm a bit out of my depth at this point so if anyone has any thoughts on how to resolve this please let me know. If there is other information I can provide please ask. Thank you!