Ok, I see what the problem is, your logs helped track it down. It has to do with a change I made to the ordering of one particular check: overriding DAC when trying to access a directory. The way the upstream kernel works is by first checking for CAP_DAC_OVERRIDE and then for CAP_DAC_READ_SEARCH for this case. The problem (as evidenced by SELinux policies that were claimed to be written manually by experts, but were clearly developed from audit2allow) is that CAP_DAC_OVERRIDE, being a superset of CAP_DAC_READ_SEARCH, would be the only capability learned, ending up with a weaker policy. So I had reordered it so that CAP_DAC_READ_SEARCH would be checked first, but then there's another problem. If the process only had CAP_DAC_OVERRIDE allowed in policy, then it would get a denied CAP_DAC_READ_SEARCH each time, even though it's not necessary. Hence the addition of the initial _nolog variant, though the shortcircuit behavior means that nothing would get learned in this case. What would normally happen is that a process triggering this check would likely hit one of the other checks when overriding DAC to read/write a file, and would get learned at that point. I'll have to think a bit about a fix, but will have it in the upcoming 4.9 patch (and I'll provide a split-out version for you here).