Hi, I don't know which component is at fault here - selinux-policy or rpcbind - but ever since the selinux-policy-3.13.1-225.fc25 update, I've been getting SELinux denials at boot, because rpcbind.sock does not have the expected context: Dec 06 09:44:32 setroubleshoot[1251]: SELinux is preventing rpc.mountd from write access on the sock_file rpcbind.sock. For complete SELinux messages. run sealert -l 6c76b5b3-c506-40a7-9d62-dc19227283d7 Dec 06 09:44:32 python3[1251]: SELinux is preventing rpc.mountd from write access on the sock_file rpcbind.sock. # matchpathcon -V /var/run/rpc* /var/run/rpcbind verified. /var/run/rpcbind.lock has context system_u:object_r:var_run_t:s0, should be system_u:object_r:rpcbind_var_run_t:s0 /var/run/rpcbind.sock has context system_u:object_r:var_run_t:s0, should be system_u:object_r:rpcbind_var_run_t:s0 I can set the expected context with restorecon, but at the next reboot the socket file will be recreated with the default var_run_t. If you think this should be addressed by the SELinux folks (same result with selinux-policy-3.13.1-225.1.fc25), please feel free to change the assigned component. I currently have rpcbind-0.2.4-0.fc25.x86_64.
I use autofs to automatically mount NFS shares, and I seem to be affected by this bug too. If I run "ls /some/autofs/mount/point" I find that the kernel logs the following: type=AVC msg=audit(1481082148.750:248): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1481082148.750:249): avc: denied { setopt } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1481082148.751:250): avc: denied { bind } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1481082148.752:251): avc: denied { listen } for pid=1 comm="systemd" path="/run/rpcbind.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1481082148.752:252): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1481082148.752:253): avc: denied { setopt } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1481082148.752:254): avc: denied { bind } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1481082148.752:255): avc: denied { listen } for pid=1 comm="systemd" lport=111 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1481082148.752:256): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=udp_socket permissive=1 type=AVC msg=audit(1481082148.753:257): avc: denied { setopt } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=udp_socket permissive=1 type=AVC msg=audit(1481082148.753:258): avc: denied { bind } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=udp_socket permissive=1 I am running selinux-policy-3.13.1-224.fc25.noarch.
*** This bug has been marked as a duplicate of bug 1402083 ***