diff --git a/fix-lsetxattr-error-in-container.patch b/fix-lsetxattr-error-in-container.patch
new file mode 100644
index 0000000..dfd3184
--- /dev/null
+++ b/fix-lsetxattr-error-in-container.patch
@@ -0,0 +1,65 @@
+From e71114d3b9ccaac80ad8bd198af5acb362f2f28e Mon Sep 17 00:00:00 2001
+From: Zhang Tianxing <zhangtianxing3@huawei.com>
+Date: Sat, 18 Oct 2021 20:48:02 +0800
+Subject: [PATCH] fix lsetxattr error in container
+
+The digest list plugin in rpm will set security.ima xattr to IMA digest lists
+when installing or updating an rpm package. However, in a container without
+CAP_SYS_ADMIN, we'll get error messages when calling lsetxattr.
+
+This patch is to skip lsetxattr when CAP_SYS_ADMIN is missing.
+
+Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com>
+---
+ plugins/digest_list.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/plugins/digest_list.c b/plugins/digest_list.c
+index 992a7e8..4283d5e 100644
+--- a/plugins/digest_list.c
++++ b/plugins/digest_list.c
+@@ -26,6 +26,7 @@
+ #include <sys/stat.h>
+ #include <openssl/sha.h>
+ #include <sys/xattr.h>
++#include <sys/capability.h>
+ #include <linux/xattr.h>
+ #include <asm/byteorder.h>
+ #include <sys/wait.h>
+@@ -388,6 +389,11 @@ static int process_digest_list(rpmte te, int parser, int pre)
+ 	struct stat st;
+ 	ssize_t size;
+ 	int type = rpmteType(te);
++
++	struct __user_cap_header_struct cap_header_data;
++	cap_user_header_t cap_header = &cap_header_data;
++	struct __user_cap_data_struct cap_data_data;
++	cap_user_data_t cap_data = &cap_data_data;
+ 	rpmRC ret = RPMRC_OK;
+ 
+ 	path = malloc(PATH_MAX);
+@@ -445,7 +451,21 @@ static int process_digest_list(rpmte te, int parser, int pre)
+ 				ret = RPMRC_FAIL;
+ 				goto out;
+ 			}
++		}
++
++		/* don't call lsetxattr without CAP_SYS_ADMIN */
++		cap_header->pid = getpid();
++		cap_header->version = _LINUX_CAPABILITY_VERSION_1;
++		if (capget(cap_header, cap_data) < 0) {
++			ret = -ENOENT;
++			goto out;
++		}
++		if (!(cap_data->effective & CAP_TO_MASK(CAP_SYS_ADMIN))) {
++			ret = -EPERM;
++			goto out;
++		}
+ 
++		if (!digest_list_signed) {
+ 			/* Write RPM header sig to security.ima */
+ 			ret = write_rpm_digest_list_ima_xattr(te, path);
+ 		} else {
+-- 
+2.27.0
+
diff --git a/rpm.spec b/rpm.spec
index c736418..0fc8507 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -1,6 +1,6 @@
 Name:          rpm
 Version:       4.15.1
-Release:       28
+Release:       29
 Summary:       RPM Package Manager
 License:       GPLv2+
 URL:           http://www.rpm.org/
@@ -84,6 +84,8 @@ Patch71: CVE-2021-20266.patch
 Patch72: backport-build-prioritize-large-packages.patch
 Patch73: backport-Fix-data-race-in-packageBinaries-function.patch
 
+Patch74: fix-lsetxattr-error-in-container.patch
+
 BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel 
 BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
 BuildRequires: dbus-devel fakechroot elfutils-devel elfutils-libelf-devel ima-evm-utils
@@ -365,6 +367,12 @@ make check || (cat tests/rpmtests.log; exit 0)
 %{_mandir}/man1/gendiff.1*
 
 %changelog
+* Tue Oct 12 2021 Anakin Zhang <benjamin93@163.com> - 4.15.1-29
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix lsetxattr error in container
+
 * Thu Jul 08 2021 shixuantong <shixuantong@huawei.com> - 4.15.1-28
 - Type:bugfix
 - ID:NA