Bug 2456368

Summary: avc: denied { create } for comm="rpc.mountd" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=netlink_generic_socket permissive=0
Product: [Fedora] Fedora Reporter: Yongcheng Yang <yoyang>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yongcheng Yang 2026-04-08 07:08:24 UTC
There is a new avc denied warning emit for rpc.mountd when mounting nfs in version 3:
[root@kvm-01-guest02 ~]# >/var/log/audit/audit.log
[root@kvm-01-guest02 ~]# grep denied /var/log/audit/audit.log
[root@kvm-01-guest02 ~]# ./repro.sh
[root@kvm-01-guest02 ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1775631690.243:814): avc:  denied  { create } for  pid=6004 comm="rpc.mountd" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=netlink_generic_socket permissive=0
type=AVC msg=audit(1775631690.492:817): avc:  denied  { create } for  pid=6004 comm="rpc.mountd" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=netlink_generic_socket permissive=0
[root@kvm-01-guest02 ~]# 
[root@kvm-01-guest02 ~]# cat repro.sh
#!/bin/bash
mkdir -p /export /mnt/localhost

systemctl restart nfs-server

exportfs -ua
exportfs localhost:/export

mount -t nfs -ov3,sec=sys localhost:/export /mnt/localhost
umount /mnt/localhost
[root@kvm-01-guest02 ~]# rpm -q nfs-utils selinux-policy
nfs-utils-2.9.1-0.fc45.x86_64
selinux-policy-43.6-1.fc45.noarch
[root@kvm-01-guest02 ~]#

Reproducible: Always

Steps to Reproduce:
1. export an nfs localhost
2. mounting the export in vers=3
3. check the /var/log/audit/audit.log