Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2123719

Summary: Weird "uavc: op=load_policy lsm=selinux seqno=11 res=1" printed to terminal when updating/installing a package
Product: Red Hat Enterprise Linux 9 Reporter: Petr Lautrbach <plautrba>
Component: rpmAssignee: Florian Festi <ffesti>
Status: CLOSED ERRATA QA Contact: Tomáš Bajer <tbajer>
Severity: low Docs Contact:
Priority: low    
Version: 9.0CC: dwalsh, John.Cronin, kazen, lvrabec, mbanas, mmalik, plautrba, pmatilai, qe-baseos-security, rmetrich, sbueno, tbajer, vmojzis
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 9.2Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rpm-4.16.1.3-21.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2123637 Environment:
Last Closed: 2023-05-09 08:23:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2094166, 2133507    

Description Petr Lautrbach 2022-09-02 12:06:59 UTC 
+++ This bug was initially created as a clone of Bug #2123637 +++

Description of problem:

This seems to apply to RHEL9 only.
When installing or updating a package modifying the policy, the following message is sent to STDERR:
~~~
uavc:  op=load_policy lsm=selinux seqno=XX res=1
~~~

The message is overwritten later by "yum" because the message has no carriage-return.

Digging into this, this message is emitted by avc_process_policyload():
~~~
 79 int avc_process_policyload(uint32_t seqno)
 :
 83         avc_log(SELINUX_POLICYLOAD,
 84                 "%s:  op=load_policy lsm=selinux seqno=%u res=1",
 85                 avc_prefix, seqno);
 :
~~~

which gets called through rpm-plugin-selinux, as seen using a systemtap script:
~~~
# stap -v -d /usr/bin/python3 -d /usr/lib64/libselinux.so.1 -d /usr/lib64/rpm-plugins/selinux.so -d /usr/lib64/librpm.so.9.1.3 -d kernel -d /usr/lib64/python3.9/site-packages/rpm/_rpm.cpython-39-x86_64-linux-gnu.so --ldd -e 'probe syscall.write { if ((fd == 2) && (buf_str =~ "uavc")) { print_usyms(ubacktrace()) } }
[...]

 0x7f0502c2b15f : write+0x4f/0xa0 [/usr/lib64/libc.so.6]
 0x7f0502b831fd : _IO_file_write@@GLIBC_2.2.5+0x2d/0xa0 [/usr/lib64/libc.so.6]
 0x7f0502b82576 : new_do_write+0x66/0x170 [/usr/lib64/libc.so.6]
 0x7f0502b838ce : _IO_file_xsputn@@GLIBC_2.2.5+0x16e/0x1f0 [/usr/lib64/libc.so.6]
 0x7f0502b70a5e : buffered_vfprintf+0x12e/0x230 [/usr/lib64/libc.so.6]
 0x7f05010198fd : default_selinux_log+0xad/0xd0 [/usr/lib64/libselinux.so.1]
 0x7f05010237ae : avc_process_policyload+0xce/0x140 [/usr/lib64/libselinux.so.1]
 0x7f05010313a2 : selinux_status_updated+0xf2/0x150 [/usr/lib64/libselinux.so.1]
 0x7f04fde9d445 : sehandle_init+0xf5/0x120 [/usr/lib64/rpm-plugins/selinux.so]
 0x7f05015fd911 : rpmpsmRun.part.0+0x121/0x1070 [/usr/lib64/librpm.so.9.1.3]
 0x7f050161186e : rpmteProcess+0x1be/0x310 [/usr/lib64/librpm.so.9.1.3]
 0x7f050162b640 : runTransScripts.isra.0+0x40/0x70 [/usr/lib64/librpm.so.9.1.3]
 0x7f0501617a55 : rpmtsRun+0x2a25/0x2cd0 [/usr/lib64/librpm.so.9.1.3]
 0x7f05021d91f8 : rpmts_Run+0xc8/0x140 [...hon3.9/site-packages/rpm/_rpm.cpython-39-x86_64-linux-gnu.so]
 0x7f0502e0eb61 : method_vectorcall_VARARGS_KEYWORDS+0x181/0x1d0 [/usr/lib64/libpython3.9.so.1.0]
 0x7f0502e06129 : _PyEval_EvalFrameDefault+0x5149/0x7a40 [/usr/lib64/libpython3.9.so.1.0]
 0x7f0502e0df33 : function_code_fastcall+0xa3/0x120 [/usr/lib64/libpython3.9.so.1.0]
 0x7f0502e16261 : method_vectorcall+0x81/0x2a0 [/usr/lib64/libpython3.9.so.1.0]
 0x7f0502e06129 : _PyEval_EvalFrameDefault+0x5149/0x7a40 [/usr/lib64/libpython3.9.so.1.0]
 0x7f0502e000dd : _PyEval_EvalCode+0x2dd/0xe40 [/usr/lib64/libpython3.9.so.1.0]
~~~


Version-Release number of selected component (if applicable):

libselinux-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-12.el9_0.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Remove "container-selinux" package

  # yum -y remove container-selinux

2. Install "container-selinux" package

  # yum -y install container-selinux

Actual results:

Message printed during scriptlet execution then disappearing

Expected results:

No message (the information about reload is also in the journal because of "dbus-broker"):
~~~
Sep 02 10:52:06 vm-binfmt9 dbus-broker-launch[696]: avc:  op=load_policy lsm=selinux seqno=33 res=1
~~~

Additional info:

Seems new to RHEL8 and doesn't always happen.

--- Additional comment from Petr Lautrbach on 2022-09-02 14:05:23 CEST ---

There are 2 issues I guess:

1. there's no new line in the message sent to stderr

2. rpm should set a logging callback using selinux_set_callback() if it wants to suppress libselinux to log on stderr, see this simple code:

int func_log(int type, const char *fmt, ...) {
  char *buf;
  va_list ap;

  va_start(ap, fmt);
  vasprintf(&buf, fmt, ap);
  va_end(ap);
  printf("my_logger: %s\n", buf);
  free(buf);
  return 1;
}


int main() {
  union selinux_callback callback;

  selinux_status_open(0);

  selinux_status_updated();
  selinux_mkload_policy(0);
  selinux_status_updated();

  selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &func_log);
  selinux_mkload_policy(0);
  selinux_status_updated();
}
Comment 1 Panu Matilainen 2022-09-02 12:21:17 UTC 
That looks to me like something intended for /var/log/audit/audit.log rather than anybodys stderr, and indeed looking at my own host, such messages can be seen there. Seems the message is just getting "misrouted" someplace.

Rpm has not and does not want anything to do with these logs, including getting callbacks on them. There's already a bug on libselinux to track the issue, closing this one.
Comment 2 Petr Lautrbach 2022-09-02 12:36:18 UTC 
libselinux itself logs everything to stderr. It's up to SELinux aware application, in this case selinux plugin in rpm, to re-route messages to a better place if it's necessary. For example see dbus-broker code https://github.com/bus1/dbus-broker/blob/701759a08f5982f515308c269a8e224fc433f4af/src/util/selinux.c#L347

Also there are few hints in SELinux notebook about how to implement SELinux aware application - 
https://github.com/SELinuxProject/selinux-notebook/blob/main/src/implementing_seaware_apps.md#implementing-selinux-aware-applications

    5. The standard output for messages generated by libselinux functions is stderr. Use selinux_set_callback(3) with SELINUX_CB_LOG type to redirect these to a log handler.
Comment 3 Panu Matilainen 2022-09-02 12:57:16 UTC 
This makes no sense to me. Rpm's handling of this hasn't changed at all, and somehow being RHEL 9 specific makes me even more suspicious - again this stuff looks like an audit event destined to audit.log, not your random callback anywhere. From my F36 laptop:

[root@localhost ~]# grep load_policy /var/log/audit/audit.log|tail -3
type=USER_MAC_POLICY_LOAD msg=audit(1659945712.723:502): pid=1282 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=load_policy lsm=selinux seqno=4 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_MAC_POLICY_LOAD msg=audit(1661323577.794:7063): pid=1321 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=load_policy lsm=selinux seqno=2 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_MAC_POLICY_LOAD msg=audit(1662098771.841:8641): pid=1321 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=load_policy lsm=selinux seqno=3 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
Comment 4 Petr Lautrbach 2022-09-05 10:53:14 UTC 
(In reply to Panu Matilainen from comment #3)
> From my F36 laptop:
> 
> [root@localhost ~]# grep load_policy /var/log/audit/audit.log|tail -3
> type=USER_MAC_POLICY_LOAD msg=audit(1659945712.723:502): pid=1282 uid=81
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
> op=load_policy lsm=selinux seqno=4 res=1 exe="/usr/bin/dbus-broker" sauid=81
> hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
> type=USER_MAC_POLICY_LOAD msg=audit(1661323577.794:7063): pid=1321 uid=81
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
> op=load_policy lsm=selinux seqno=2 res=1 exe="/usr/bin/dbus-broker" sauid=81
> hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
> type=USER_MAC_POLICY_LOAD msg=audit(1662098771.841:8641): pid=1321 uid=81
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
> op=load_policy lsm=selinux seqno=3 res=1 exe="/usr/bin/dbus-broker" sauid=81
> hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

This is the result of the code I linked above. dbus-broker sets callback which call utils_audit_log - https://github.com/bus1/dbus-broker/blob/92142f321fc80c76ab1cc973ce2defa1039cac4a/src/util/audit.c#L104
Comment 5 Panu Matilainen 2022-09-05 12:40:11 UTC 
This seems backwards to me: one point of auditing is that stuff gets logged no matter who does it, but in this case it's up to the caller to jump through additional hoops to deliver the message, or ignore it.

Rpm also does *not* load the policy here, it just polls whether it's been updated via selinux_status_updated(). Why should that send such a message? And finally: that selinux_status_updated() call has been in rpm for over a decade. What changed, and why apparently only in RHEL 9?
Comment 6 John Cronin 2022-09-20 01:03:51 UTC 
We are too getting this error with RHEL9 while installing rpm with selinux enabled, this error displayed on terminal, also seen in dmesg.
avc_process_policyload() getting called,

easily reproducible

1. with rpm install.
also with
2.
yum -y remove container-selinux
yum -y install container-selinux

This error not seen with RHEL8/RHEL7
Comment 7 Panu Matilainen 2022-09-20 11:06:15 UTC 
Note that this is does NOT indicate an error, it's just "informative" audit message that the selinux policy got reloaded, ending up in wrong address basically.
Comment 8 Panu Matilainen 2022-09-22 08:15:20 UTC 
After a bit of investigation: this did not happen in older versions simply because said code in libselinux did not exist there, it was added and then changed to current format in these commits: 
https://github.com/SELinuxProject/selinux/commit/a4149e0eab50092699f05217cbf10a60d84d8d20
https://github.com/SELinuxProject/selinux/commit/7ef5b1854f75056d23e60aabc86706dfed622669

So that part of the mystery solved, but : rpm is NOT loading the policy here, it's merely polling to see whether it was. So we're hitting this message because somebody loaded a policy (from the package scriptlet in this case) and rpm - while a transaction running - is interested in tracking whether just that happened.

But okay, actually testing it reveals that the policy load itself does get audited despite rpm not relaying the message anywhere. So it's okay from that POV, all rpm needs is to just set the callback to ignore such output because we're not interested, really.

devel_ack+ for silencing the message.
Comment 9 Panu Matilainen 2022-09-22 09:16:27 UTC 
Oh and as for why I hadn't seen this myself: the message does occur anytime selinux-policies get updated, but dnf progress output masks the line shortly after it appears, so unless you're actually watching dnf output, you'll never see it in the terminal. From the rpm cli it's very obvious.
Comment 10 Petr Lautrbach 2022-09-22 09:54:58 UTC 
Thanks. This particular code is not exactly new, it was just refactored. I've been looking into this as well and it's possible that the logging simply should not be there. If you can please hold the PR a bit until I discuss it with libselinux upstream.
Comment 11 Panu Matilainen 2022-09-22 10:16:31 UTC 
Sure. Thanks!
Comment 12 Panu Matilainen 2022-10-11 08:29:27 UTC 
After sleeping a few nights on it, I ended up thinking rpm is better off adding the callback *regardless* of this issue: that way critical libselinux errors get routed to rpmlog as they should. 

I also noticed upstream is reluctant to change it, so lets just add the callback, it's the right thing to do for other reasons. That the "spurious" audit message also gets dealt with is like an added bonus. I'll just adjust the upstream commit message to match this.
Comment 13 Petr Lautrbach 2022-10-14 09:37:45 UTC 
Thank You. Debian used the same approach as you did with your PR - https://lore.kernel.org/selinux/20221011160700.82258-1-cgzones@googlemail.com/
Comment 24 errata-xmlrpc 2023-05-09 08:23:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rpm bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2538