Bug 2156760
| Summary: | dnf upgrade fails on RHEL 8.4 E4S when fapolicyd is enabled. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Ameya Patil <amepatil> |
| Component: | fapolicyd | Assignee: | Radovan Sroka <rsroka> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.4 | CC: | amepatil, dapospis, kwalker, prjagtap |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-02-08 16:02:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
What is the rpm-plugin-fapolicyd package version? Is is planned (by dnf) to be updated at once with fapolicyd or is it at version rpm-plugin-fapolicyd-4.14.3-14.el8_4.3 already? Basically the same behaviour should be fixed by https://bugzilla.redhat.com/show_bug.cgi?id=2124524 which was delivered by the RHBA-2022:6989-02 on 2022-10-18. You do not see any FANOTIFY event as the issue is on the rpm side rather than on the fapolicyd side. Basically the rpm should be updated before any other update which causes restart of fapolicyd (might be also systemd update). Unfortunately there's no way for us to ensure it to happen in two independent update cycles. There should be a KB article created for this. I will try to get more information. Hi Dalibor, My apologies for the delay, I no longer have the original system I did a test on. The test I did was on the fresh install of RHEL 8.4 since it was only reproducible on the RHEL 8.4 EUS repositories , I started with RHEL 8.4 fresh system. The version "rpm-plugin-fapolicyd" package hence came from the RHEL 8.4 ISO - i.e. rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64 I believe there was also an update to rpm-plugin-fapolicyd package in my transaction though I did not note it during that time. I read the other Bugzilla you referenced - bug#2124524 , the issue referenced there in its parent BZ bug#2110787 , and the issue mentioned there seems to be very similar to the one mentioned here. However one thing I see is that from my systems state is that I am able to update the same system with intial set of packages to RHEL 8.7 (or RHEL 8.6 onward the scriptlets used in fapolicyd version 1.1.+) Do you mean I should first update the "rpm-plugin-fapolicyd" individually to the newest version from RHEL 8.4 E4S and then try updating the system again on RHEL 8.4 E4S ? Please correct me if I am wrong ? I will do this test by tomorrow and reply back. Thanks, Ameya
> The test I did was on the fresh install of RHEL 8.4 since it was only reproducible on the RHEL 8.4 EUS repositories , I started with RHEL 8.4 fresh system.
Correction - The test I did was on the fresh install of RHEL 8.4 since it was reproducible on the RHEL 8.4 E4S repositories , I started with RHEL 8.4 fresh system.
> Do you mean I should first update the "rpm-plugin-fapolicyd" individually to
> the newest version from RHEL 8.4 E4S and then try updating the system again
> on RHEL 8.4 E4S ? Please correct me if I am wrong ?
> I will do this test by tomorrow and reply back.
Yes please. Unfortunately that's the reality now. There's a clutch between the fapolicyd and the rpm-plugin-fapolicyd. Once the fapolicyd gets restarted during the update, the old rpm plugin still tries to communicate with the previously running fapolicyd instance. Therefore the plugin needs to be updated separately as the updated version takes effect at the start of the next rpm transaction.
Hi Dalibor, Thanks a lot for your help with the fix. I did a test and and can confirm that if I update the "rpm-plugin-fapolicyd" first before the other package the upgrade goes through without errors. Just to confirm the earlier issue if I am still able to reproduce the original issue I tested that if I do a normal dnf update as per the BZ description, I still see the hang. While updating the "rpm-plugin-fapolicyd" before the main dnf transaction works without problems. Notes: - Initial set of packages on RHEL 8.4 fresh install subscribed to E4S repos yet to be updated. ~~~ # rpm -qa | grep fapolicy | sort fapolicyd-1.0.2-6.el8.x86_64 fapolicyd-selinux-1.0.2-6.el8.noarch rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64 ~~~~ - Updated "rpm-plugin-fapolicyd" to the errata version. ~~~ # dnf update rpm-plugin-fapolicyd Updating Subscription Management repositories. Last metadata expiration check: 0:01:23 ago on Tue 07 Feb 2023 04:44:50 PM EST. Dependencies resolved. ==================================================================================================================================================== Package Architecture Version Repository Size ==================================================================================================================================================== Upgrading: python3-rpm x86_64 4.14.3-14.el8_4.3 rhel-8-for-x86_64-baseos-e4s-rpms 158 k rpm x86_64 4.14.3-14.el8_4.3 rhel-8-for-x86_64-baseos-e4s-rpms 542 k rpm-build x86_64 4.14.3-14.el8_4.3 rhel-8-for-x86_64-appstream-e4s-rpms 173 k rpm-build-libs x86_64 4.14.3-14.el8_4.3 rhel-8-for-x86_64-baseos-e4s-rpms 156 k rpm-libs x86_64 4.14.3-14.el8_4.3 rhel-8-for-x86_64-baseos-e4s-rpms 340 k rpm-plugin-fapolicyd x86_64 4.14.3-14.el8_4.3 rhel-8-for-x86_64-appstream-e4s-rpms 78 k rpm-plugin-selinux x86_64 4.14.3-14.el8_4.3 rhel-8-for-x86_64-baseos-e4s-rpms 77 k rpm-plugin-systemd-inhibit x86_64 4.14.3-14.el8_4.3 rhel-8-for-x86_64-baseos-e4s-rpms 78 k Transaction Summary ==================================================================================================================================================== Upgrade 8 Packages Total download size: 1.6 M Is this ok [y/N]: y Downloading Packages: (1/8): python3-rpm-4.14.3-14.el8_4.3.x86_64.rpm 182 kB/s | 158 kB 00:00 (2/8): rpm-4.14.3-14.el8_4.3.x86_64.rpm 618 kB/s | 542 kB 00:00 (3/8): rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64.rpm 86 kB/s | 77 kB 00:00 (4/8): rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.3.x86_64.rpm 219 kB/s | 78 kB 00:00 (5/8): rpm-libs-4.14.3-14.el8_4.3.x86_64.rpm 823 kB/s | 340 kB 00:00 (6/8): rpm-build-libs-4.14.3-14.el8_4.3.x86_64.rpm 239 kB/s | 156 kB 00:00 (7/8): rpm-build-4.14.3-14.el8_4.3.x86_64.rpm 546 kB/s | 173 kB 00:00 (8/8): rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64.rpm 246 kB/s | 78 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------- Total 993 kB/s | 1.6 MB 00:01 warning: /var/cache/dnf/rhel-8-for-x86_64-baseos-e4s-rpms-f4e85a47cfb5562e/packages/rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY Red Hat Enterprise Linux 8 for x86_64 - BaseOS - Update Services for SAP Solutions (RPMs) 4.9 MB/s | 5.0 kB 00:00 Importing GPG key 0xFD431D51: Userid : "Red Hat, Inc. (release key 2) <security>" Fingerprint: 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Key imported successfully Importing GPG key 0xD4082792: Userid : "Red Hat, Inc. (auxiliary key) <security>" Fingerprint: 6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Upgrading : rpm-libs-4.14.3-14.el8_4.3.x86_64 1/16 Running scriptlet: rpm-libs-4.14.3-14.el8_4.3.x86_64 1/16 Upgrading : rpm-4.14.3-14.el8_4.3.x86_64 2/16 Upgrading : rpm-build-libs-4.14.3-14.el8_4.3.x86_64 3/16 Running scriptlet: rpm-build-libs-4.14.3-14.el8_4.3.x86_64 3/16 Upgrading : python3-rpm-4.14.3-14.el8_4.3.x86_64 4/16 Upgrading : rpm-build-4.14.3-14.el8_4.3.x86_64 5/16 Upgrading : rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64 6/16 Upgrading : rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.3.x86_64 7/16 Upgrading : rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64 8/16 Cleanup : python3-rpm-4.14.3-13.el8.x86_64 9/16 Cleanup : rpm-build-4.14.3-13.el8.x86_64 10/16 Cleanup : rpm-build-libs-4.14.3-13.el8.x86_64 11/16 Running scriptlet: rpm-build-libs-4.14.3-13.el8.x86_64 11/16 Cleanup : rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64 12/16 Cleanup : rpm-plugin-systemd-inhibit-4.14.3-13.el8.x86_64 13/16 Cleanup : rpm-plugin-selinux-4.14.3-13.el8.x86_64 14/16 Cleanup : rpm-4.14.3-13.el8.x86_64 15/16 Cleanup : rpm-libs-4.14.3-13.el8.x86_64 16/16 Running scriptlet: rpm-libs-4.14.3-13.el8.x86_64 16/16 Verifying : rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64 1/16 Verifying : rpm-plugin-selinux-4.14.3-13.el8.x86_64 2/16 Verifying : python3-rpm-4.14.3-14.el8_4.3.x86_64 3/16 Verifying : python3-rpm-4.14.3-13.el8.x86_64 4/16 Verifying : rpm-4.14.3-14.el8_4.3.x86_64 5/16 Verifying : rpm-4.14.3-13.el8.x86_64 6/16 Verifying : rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.3.x86_64 7/16 Verifying : rpm-plugin-systemd-inhibit-4.14.3-13.el8.x86_64 8/16 Verifying : rpm-libs-4.14.3-14.el8_4.3.x86_64 9/16 Verifying : rpm-libs-4.14.3-13.el8.x86_64 10/16 Verifying : rpm-build-libs-4.14.3-14.el8_4.3.x86_64 11/16 Verifying : rpm-build-libs-4.14.3-13.el8.x86_64 12/16 Verifying : rpm-build-4.14.3-14.el8_4.3.x86_64 13/16 Verifying : rpm-build-4.14.3-13.el8.x86_64 14/16 Verifying : rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64 15/16 Verifying : rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64 16/16 Installed products updated. Upgraded: python3-rpm-4.14.3-14.el8_4.3.x86_64 rpm-4.14.3-14.el8_4.3.x86_64 rpm-build-4.14.3-14.el8_4.3.x86_64 rpm-build-libs-4.14.3-14.el8_4.3.x86_64 rpm-libs-4.14.3-14.el8_4.3.x86_64 rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64 rpm-plugin-selinux-4.14.3-14.el8_4.3.x86_64 rpm-plugin-systemd-inhibit-4.14.3-14.el8_4.3.x86_64 Complete! - Now its updated. ~~~ # rpm -qa | grep fapolicyd | sort fapolicyd-1.0.2-6.el8.x86_64 fapolicyd-selinux-1.0.2-6.el8.noarch rpm-plugin-fapolicyd-4.14.3-14.el8_4.3.x86_64 ~~~ - After this the transaction went through without errors. I see that as you had mentioned , there are "rpm-plugin-fapolicy" message that its waiting for the service connection to resume because the fapolicyd was restarted as part of the update in the fapolicyd scriptlets which it now detects and waits for connecting back to the new process. ~~~ Transaction test succeeded. Running transaction Running scriptlet: fapolicyd-1.0.2-6.el8_4.2.x86_64 1/1 Preparing : 1/1 Running scriptlet: bash-4.4.20-2.el8_4.x86_64 1/1 Upgrading : bash-4.4.20-2.el8_4.x86_64 1/288 warning: rpm-plugin-fapolicyd: waiting for the service connection to resume, it can take up to 60 seconds warning: rpm-plugin-fapolicyd: the service connection has resumed Running scriptlet: bash-4.4.20-2.el8_4.x86_64 1/288 Upgrading : libgcc-8.4.1-1.1.el8_4.x86_64 2/288 ~~~ Thanks, Ameya Closing this as a Duplicate of 2110787.
Note, the solution is available via the 8.4.0 Z-stream releases with the following Errata:
https://access.redhat.com/errata/RHBA-2022:6989
It still does require the individual package to be updated prior to the rest of the system transaction.
*** This bug has been marked as a duplicate of bug 2110787 ***
|
Description of problem: When performing upgrade on a RHEL 8.4 E4S system with fapolicyd service install and enabled causes the upgrade to fail during the yum transaction phase when the fapolicyd scriptlets are run. I observed that the fapolicyd service scriptlets are the first thing that run before upgrade of any package and as other packages are start being upgraded in few seconds time the upgrade get stuck and the dnf process cant be stopped or interrupted with CTRL-C at this point. ~~~ # dnf update Updating Subscription Management repositories. Last metadata expiration check: 0:09:20 ago on Wed 28 Dec 2022 08:59:03 AM EST. Dependencies resolved. =================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================== [..output skipped..] fapolicyd x86_64 1.0.2-6.el8_4.2 rhel-8-for-x86_64-appstream-e4s-rpms 107 k fapolicyd-selinux noarch 1.0.2-6.el8_4.2 rhel-8-for-x86_64-appstream-e4s-rpms 25 k [..output skipped..] Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Running scriptlet: fapolicyd-1.0.2-6.el8_4.2.x86_64 1/1 Preparing : 1/1 Running scriptlet: bash-4.4.20-2.el8_4.x86_64 1/1 Upgrading : bash-4.4.20-2.el8_4.x86_64 1/296 Running scriptlet: bash-4.4.20-2.el8_4.x86_64 1/296 Upgrading : zlib-1.2.11-18.el8_4.x86_64 2/296 Upgrading : libgcc-8.4.1-1.1.el8_4.x86_64 3/296 Running scriptlet: libgcc-8.4.1-1.1.el8_4.x86_64 3/296 Upgrading : xz-libs-5.2.4-4.el8_4.x86_64 4/296 Upgrading : libcom_err-1.45.6-2.el8_4.x86_64 5/296 Running scriptlet: libcom_err-1.45.6-2.el8_4.x86_64 5/296 Upgrading : libstdc++-8.4.1-1.1.el8_4.x86_64 6/296 Running scriptlet: libstdc++-8.4.1-1.1.el8_4.x86_64 6/296 Upgrading : grub2-common-1:2.02-99.el8_4.9.noarch 7/296 Upgrading : chkconfig-1.13-2.el8_4.1.x86_64 8/296 Upgrading : expat-2.2.5-4.el8_4.4.x86_64 9/296 Upgrading : perl-libs-4:5.26.3-419.el8_4.1.x86_64 [======================================================== ] 10/296 [..stuck at this point indefinitely..] ^C^C^C^C^C^C^C ~~~ We need to login to the system through another terminal and then kill the dnf process using SIGKILL. The strace of the process seems to suggest that this happened around the installation where fapolicyd seems to trying to add the entry with the checksum of the process to the fapolicyd database. This results in the system update interrupted and lead to duplicate packages for a few packages which were upgrade before the upgrade get stuck. ~~~ # ps -elf | grep dnf 4 S root 5535 5238 10 80 0 - 206524 - 09:08 pts/0 00:00:21 /usr/libexec/platform-python /usr/bin/dnf update 0 S root 5620 5598 0 80 0 - 3034 - 09:11 pts/1 00:00:00 grep --color=auto dnf # pstree -slap 5535 systemd,1 --switched-root --system --deserialize 17 └─sshd,920 -D -oCiphers=aes256-gcm,chacha20-poly1305, [...output skipped...] └─sshd,5222 └─sshd,5237 └─bash,5238 └─dnf,5535 /usr/bin/dnf update # strace -fTttvyys 4096 -p 5535 strace: Process 5535 attached 09:12:53.979435 write(45</run/fapolicyd/fapolicyd.fifo (deleted)>, "/usr/share/perl5/unicore/lib/Nv/20.pl 854 75d3e8bd0b2587460dac6ae4eac1bfad7bea0b80f38fa0c61bed9eeac2a73c14\n", 107^Cstrace: Process 5535 detached <detached ...> ~~~ We don't see any FANOTIFY or any errors in the Fapolicyd process denying any access to particular execution. Also we I don't think the issue would be with the fapolicy permissions since the issue also occurs even when fapolicyd service is running in permissive mode. ~~~ # ausearch --start today -m fanotify --raw | aureport --file --summary File Summary Report =========================== total file =========================== <no events of interest were found> ~~~ I see that the daemon got restarted Possibly by the rpm pretransaction scriptlets and the I think this may somehow be contributing to this issue. Because every time I reproduced this the fapolicyd scriptlets are seen running during the start of the transaction after download phase and post few seconds as the system installs a few rpms the system is seen stuck. ~~~ ]# systemctl status fapolicyd ● fapolicyd.service - File Access Policy Daemon Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2022-12-28 09:10:09 EST; 8min ago Process: 5578 ExecStart=/usr/sbin/fapolicyd (code=exited, status=0/SUCCESS) Main PID: 5580 (fapolicyd) Tasks: 4 (limit: 4930) Memory: 37.2M CGroup: /system.slice/fapolicyd.service └─5580 /usr/sbin/fapolicyd Dec 28 09:10:09 rhel8-default.test.local systemd[1]: Started File Access Policy Daemon. Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: fapolicyd integrity is 0 Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Loading rpmdb backend Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Checking database Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Importing data from rpmdb backend Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Importing data from file backend Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Entries in DB: 19820 Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Loaded from all backends(without duplicates): 19820 Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Database checks OK Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Starting to listen for events ~~~ Journal logs doe not show any issue apart from the restart which tool place./ ~~~ # journalctl -b -u fapolicyd -- Logs begin at Wed 2022-12-28 08:51:33 EST, end at Wed 2022-12-28 09:11:33 EST. -- Dec 28 08:56:44 rhel8-default.test.local systemd[1]: Starting File Access Policy Daemon... Dec 28 08:56:44 rhel8-default.test.local systemd[1]: fapolicyd.service: Can't open PID file /run/fapolicyd.pid (yet?) after start:> Dec 28 08:56:44 rhel8-default.test.local fapolicyd[5495]: Initializing the database Dec 28 08:56:44 rhel8-default.test.local fapolicyd[5495]: Database migration will be performed. Dec 28 08:56:44 rhel8-default.test.local systemd[1]: Started File Access Policy Daemon. Dec 28 08:56:44 rhel8-default.test.local fapolicyd[5495]: fapolicyd integrity is 0 Dec 28 08:56:44 rhel8-default.test.local fapolicyd[5495]: Loading rpmdb backend Dec 28 08:56:45 rhel8-default.test.local fapolicyd[5495]: Creating database Dec 28 08:56:45 rhel8-default.test.local fapolicyd[5495]: Loading data from rpmdb backend Dec 28 08:56:45 rhel8-default.test.local fapolicyd[5495]: Loading data from file backend Dec 28 08:56:45 rhel8-default.test.local fapolicyd[5495]: Starting to listen for events Dec 28 09:10:08 rhel8-default.test.local fapolicyd[5495]: shutting down... Dec 28 09:10:08 rhel8-default.test.local systemd[1]: Stopping File Access Policy Daemon... Dec 28 09:10:09 rhel8-default.test.local systemd[1]: fapolicyd.service: Succeeded. Dec 28 09:10:09 rhel8-default.test.local systemd[1]: Stopped File Access Policy Daemon. Dec 28 09:10:09 rhel8-default.test.local systemd[1]: Starting File Access Policy Daemon... Dec 28 09:10:09 rhel8-default.test.local systemd[1]: fapolicyd.service: Can't open PID file /run/fapolicyd.pid (yet?) after start:> Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Initializing the database Dec 28 09:10:09 rhel8-default.test.local systemd[1]: Started File Access Policy Daemon. Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: fapolicyd integrity is 0 Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Loading rpmdb backend Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Checking database Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Importing data from rpmdb backend Dec 28 09:10:09 rhel8-default.test.local fapolicyd[5580]: Importing data from file backend ~~~ We are able to workaround the issue by disabling fapolicyd temporarily during the upgrade process. Version-Release number of selected component (if applicable): When upgrading to since I think the issue might be with the new rpms post transaction scriptlets instead of the existing rpm, fapolicyd-1.0.2-6.el8_4.2.x86_64 fapolicyd-selinux-1.0.2-6.el8_4.2.x86_64 For reference I had tested this when upgrading from below versions to the above version, fapolicyd-1.0.2-6.el8.x86_64 fapolicyd-selinux-1.0.2-6.el8.noarch as well as, from below version to the above listed version fapolicyd-1.0.2-6.el8_4.1.x86_64 fapolicyd-selinux-1.0.2-6.el8_4.1.x86_64 How reproducible: Everytime with RHEL 8.4 E4S release fapolicyd Steps to Reproduce: 1. Install RHEL 8.4 System using ISO and subscribe and enable RHEL 8.4 E4S release # subscription-manager register # subscription-manager attach --pool=XXX # subscription-manager repos --enable rhel-8-for-x86_64-baseos-e4s-rpms --enable rhel-8-for-x86_64-appstream-e4s-rpms --disable rhel-8-for-x86_64-baseos-rpms --disable rhel-8-for-x86_64-appstream-rpms # subscription-manager release --set=8.4 2. Ensure the following fapolicyd rpm are installed and start and enable the fapolicyd service ~~~ # rpm -qa | grep fapolicy | sort fapolicyd-1.0.2-6.el8.x86_64 fapolicyd-selinux-1.0.2-6.el8.noarch rpm-plugin-fapolicyd-4.14.3-13.el8.x86_64 ~~~ # systemctl enable --now fapolicyd # systemctl status fapolicyd 3. Perform yum update while the fapolicyd is enabled. # dnf update Actual results: The dnf transaction get stuck and needs to be killed through another session and system has duplicate packages. Expected results: For dnf transaction to complete successfully. Additional info: We checked and I did not see this issue does not happens when upgrading to RHEL 8.7(or RHEL 8.6) fapolicyd from RHEL 8.4 version of RPM. (Upgrade to RHEL 8.6 below, there is no pretransaction script run for fapolicyd) ~~~ Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Running scriptlet: filesystem-3.8-6.el8.x86_64 1/1 Preparing : 1/1 Running scriptlet: libgcc-8.5.0-10.1.el8_6.x86_64 1/1 Upgrading : libgcc-8.5.0-10.1.el8_6.x86_64 1/606 Running scriptlet: libgcc-8.5.0-10.1.el8_6.x86_64 1/606 Upgrading : filesystem-3.8-6.el8.x86_64 2/606 Upgrading : python3-pip-wheel-9.0.3-22.el8.noarch 3/606 [...output skipped...] Upgrading : policycoreutils-python-utils-2.9-19.el8.noarch 220/606 Running scriptlet: fapolicyd-selinux-1.1-6.el8_6.1.noarch 221/606 Upgrading : fapolicyd-selinux-1.1-6.el8_6.1.noarch 221/606 Running scriptlet: fapolicyd-selinux-1.1-6.el8_6.1.noarch 221/606 Running scriptlet: fapolicyd-1.1-6.el8_6.1.x86_64 222/606 Upgrading : fapolicyd-1.1-6.el8_6.1.x86_64 222/606 Running scriptlet: fapolicyd-1.1-6.el8_6.1.x86_64 222/606 Upgrading : python3-perf-4.18.0-372.32.1.el8_6.x86_64 223/606 [...output skipped...] Running scriptlet: fapolicyd-1.0.2-6.el8.x86_64 361/606 Cleanup : fapolicyd-1.0.2-6.el8.x86_64 361/606 Running scriptlet: fapolicyd-1.0.2-6.el8.x86_64 361/606 [...output skipped...] ~~~ We checked the rpm scriptlets used in RHEL 8.7 (or RHEL 8.6 onward the scriptlets used in fapolicyd version 1.1.+) and found that its quite different from the one used in RHEL 8.4 In RHEL 8.7 rpm there are no pretranscation scriptlets at all and we see that in RHEL 8.4's case the pretransaction is run at the very start of the dnf transaction post which we see this issue with system being stuck. And hence we suspect that the issue might be with the pretransaction scriptlets.