Description of problem: We run dnf-automatic regularly via cron. When selinux-policy updates the following output is generated: uavc: op=load_policy lsm=selinux seqno=2 res=1 In general, package updates should not produce any output. Version-Release number of selected component (if applicable): selinux-policy-35.13-1.fc35.noarch
We are also been observing similar log message(uavc: op=load_policy lsm=selinux seqno=21 res=1) while installing our PowerPath rpm package. In general it should not produce such logs. Note: PowerPath also load its custom policy and redirect any logs from semodule to /dev/null We didn't see this in case of RHEL8. # rpm -ivh /tmp/DellEMCPower.LINUX-8.5.0.00.00-056.RHEL9.x86_64.rpm Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:EMCpower.LINUX-8.5.0.00.00-056.el################################# [100%] All trademarks used herein are the property of their respective owners. *** IMPORTANT *** Please check the following configurations before starting PowerPath: - Add _netdev to /etc/fstab mount options for PowerPath pseudo devices. - Set LVM global_filter in /etc/lvm/lvm.conf according to PowerPath recommendation. - Blacklist all devices in /etc/multipath.conf and stop multipathd service. - Install PowerPath license(s) and ensure that policy is not set to BasicFailover. - If no license is available, ensure that only one HBA port is active in the host. PowerPath supports only single-HBA configuration when unlicensed. Refer to PowerPath Installation and Administration Guide for details. Installation or use of PowerPath software indicates agreement with the End User License Agreement available at /etc/opt/emcpower/EULA.pdf. Non Disruptive Upgrade (NDU) is supported from PowerPath Linux 6.5 or higher releases. Please refer to support documents for more information. uavc: op=load_policy lsm=selinux seqno=21 res=1 #
This is caused by newer libselinux issuing such log messages on selinux_status_updated() which rpm-selinux-plugin calls to see whether somebody updated the policy while a transaction is running. Such as selinux-policy loading a new policy from its scriptlets. I find it all somewhat strange, but seems it's rpm's responsibility to suppress the message, reassigning. More details in bug 2123719.