Bug 2050774

Summary: Spurious "uavc: op=load_policy lsm=selinux seqno=2 res=1" output on update
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: rpmAssignee: Zdenek Pytela <zpytela>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 35CC: Ajaykumar.Rajappa, dwalsh, grepl.miroslav, igor.raits, lvrabec, madhu.tarikere, mdomonko, mmalik, omosnace, packaging-team-maint, pkoncity, pmatilai, pmoravco, vmojzis, vmukhame, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-11 08:40:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2022-02-04 15:50:28 UTC 
Description of problem:

We run dnf-automatic regularly via cron.  When selinux-policy updates the following output is generated:

uavc:  op=load_policy lsm=selinux seqno=2 res=1

In general, package updates should not produce any output.

Version-Release number of selected component (if applicable):
selinux-policy-35.13-1.fc35.noarch
Comment 1 Ajaykumar Rajappa 2022-05-29 10:51:04 UTC 
We are also been observing similar log message(uavc:  op=load_policy lsm=selinux seqno=21 res=1) while installing our PowerPath rpm package. In general it should not produce such logs. 

Note: PowerPath also load its custom policy and redirect any logs from semodule to /dev/null 

We didn't see this in case of RHEL8.

 

# rpm -ivh /tmp/DellEMCPower.LINUX-8.5.0.00.00-056.RHEL9.x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:EMCpower.LINUX-8.5.0.00.00-056.el################################# [100%]
All trademarks used herein are the property of their respective owners.

*** IMPORTANT ***
Please check the following configurations before starting PowerPath:
   - Add _netdev to /etc/fstab mount options for PowerPath pseudo devices.
   - Set LVM global_filter in /etc/lvm/lvm.conf according to PowerPath recommendation.
   - Blacklist all devices in /etc/multipath.conf and stop multipathd service.
   - Install PowerPath license(s) and ensure that policy is not set to BasicFailover.
   - If no license is available, ensure that only one HBA port is active in the host.
     PowerPath supports only single-HBA configuration when unlicensed.
Refer to PowerPath Installation and Administration Guide for details.


Installation or use of PowerPath software indicates agreement with the
End User License Agreement available at /etc/opt/emcpower/EULA.pdf.

Non Disruptive Upgrade (NDU) is supported from PowerPath Linux 6.5 or higher releases.
Please refer to support documents for more information.

uavc:  op=load_policy lsm=selinux seqno=21 res=1
#
Comment 2 Panu Matilainen 2022-09-22 08:22:16 UTC 
This is caused by newer libselinux issuing such log messages on selinux_status_updated() which rpm-selinux-plugin calls to see whether somebody updated the policy while a transaction is running. Such as selinux-policy loading a new policy from its scriptlets. I find it all somewhat strange, but seems it's rpm's responsibility to suppress the message, reassigning.

More details in bug 2123719.