Bug 1402083 - SELinux prevents systemd from starting nfs.service
Summary: SELinux prevents systemd from starting nfs.service
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1401179 1401815 1402067 1402321 1402490 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-06 17:53 UTC by dan
Modified: 2017-11-04 21:31 UTC (History)
151 users (show)

Fixed In Version: selinux-policy-3.13.1-225.3.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-12 14:17:34 UTC
Type: Bug


Attachments (Terms of Use)

Description dan 2016-12-06 17:53:13 UTC
Description of problem:

Boot of newly upgraded FC24 --> FC25 system hangs at start of nfs.service.  Worked fine under FC24.

How reproducible:

Booted into rescue mode and disabled nfs.service.  Rebooted and then started nfs.service manually.

Dec 06 12:50:01 ears.private audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
Dec 06 12:50:01 ears.private systemd[1]: rpcbind.socket: Failed to listen on sockets: Permission denied
Dec 06 12:50:01 ears.private systemd[1]: Failed to listen on RPCbind Server Activation Socket.
Dec 06 12:50:01 ears.private systemd[1]: Dependency failed for NFS status monitor for NFSv2/3 locking..
Dec 06 12:50:01 ears.private systemd[1]: rpc-statd.service: Job rpc-statd.service/start failed with result 'dependency'.
Dec 06 12:50:01 ears.private systemd[1]: Starting Preprocess NFS configuration...
Dec 06 12:50:01 ears.private systemd[1]: Started Preprocess NFS configuration.
Dec 06 12:50:01 ears.private audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 06 12:50:01 ears.private audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 06 12:50:01 ears.private systemd[1]: Starting NFS Mount Daemon...
Dec 06 12:50:01 ears.private systemd[1]: Starting NFSv4 ID-name mapping service...
Dec 06 12:50:01 ears.private rpc.mountd[3003]: Could not bind socket: (98) Address already in use
Dec 06 12:50:01 ears.private rpc.mountd[3003]: Could not bind socket: (98) Address already in use
Dec 06 12:50:01 ears.private rpc.mountd[3003]: Could not bind socket: (98) Address already in use
Dec 06 12:50:01 ears.private rpc.mountd[3003]: Could not bind socket: (98) Address already in use
Dec 06 12:50:01 ears.private rpc.mountd[3003]: mountd: No V2 or V3 listeners created!
Dec 06 12:50:01 ears.private rpc.mountd[3006]: Version 1.3.3 starting
Dec 06 12:50:01 ears.private systemd[1]: Started NFS Mount Daemon.
Dec 06 12:50:01 ears.private audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-mountd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 06 12:50:01 ears.private systemd[1]: Started NFSv4 ID-name mapping service.
Dec 06 12:50:01 ears.private audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-idmapd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 06 12:50:01 ears.private systemd[1]: Starting NFS server and services...
Dec 06 12:50:04 ears.private dbus-daemon[1031]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.21' (uid=0 pid=1022 comm="/usr/sbin/sedispatch " label="system_u:system_r:audisp_t:s0") (using servicehelper)
Dec 06 12:50:04 ears.private dbus-daemon[1031]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Dec 06 12:50:04 ears.private setroubleshoot[3015]: SELinux is preventing systemd from create access on the unix_stream_socket Unknown. For complete SELinux messages. run sealert -l 2fd5b993-12b3-456c-9f0c-3f9e2cd45b4c
Dec 06 12:50:04 ears.private python3[3015]: SELinux is preventing systemd from create access on the unix_stream_socket Unknown.
                                            
                                            *****  Plugin catchall (100. confidence) suggests   **************************
                                            
                                            If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
                                            Then you should report this as a bug.
                                            You can generate a local policy module to allow this access.
                                            Do
                                            allow this access for now by executing:
                                            # ausearch -c 'systemd' --raw | audit2allow -M my-systemd
                                            # semodule -X 300 -i my-systemd.pp

Comment 1 dan 2016-12-06 18:18:45 UTC
Here are all 5 related AVC alerts:

SELinux is preventing systemd from listen access on the unix_stream_socket /run/rpcbind.sock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed listen access on the rpcbind.sock unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                /run/rpcbind.sock [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          ears.private
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.8.11-300.fc25.x86_64 #1 SMP
                              Mon Nov 28 18:24:51 UTC 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2016-12-06 12:25:25 EST
Last Seen                     2016-12-06 12:31:11 EST
Local ID                      2d19b0c6-8419-44cf-a606-dc5028f280d7

Raw Audit Messages
type=AVC msg=audit(1481045471.642:261): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/rpcbind.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,listen

SELinux is preventing rpc.statd from write access on the file /run/rpc.statd.lock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rpc.statd should be allowed write access on the rpc.statd.lock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpc.statd' --raw | audit2allow -M my-rpcstatd
# semodule -X 300 -i my-rpcstatd.pp

Additional Information:
Source Context                system_u:system_r:rpcd_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                /run/rpc.statd.lock [ file ]
Source                        rpc.statd
Source Path                   rpc.statd
Port                          <Unknown>
Host                          ears.private
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.8.11-300.fc25.x86_64 #1 SMP
                              Mon Nov 28 18:24:51 UTC 2016 x86_64 x86_64
Alert Count                   8
First Seen                    2016-12-06 11:57:42 EST
Last Seen                     2016-12-06 12:44:10 EST
Local ID                      a2860a18-ca71-4449-bbdf-e4760064e72f

Raw Audit Messages
type=AVC msg=audit(1481046250.863:188): avc:  denied  { write } for  pid=1660 comm="rpc.statd" path="/run/rpc.statd.lock" dev="tmpfs" ino=30773 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: rpc.statd,rpcd_t,var_run_t,file,write


SELinux is preventing systemd from create access on the unix_stream_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          ears.private
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.8.11-300.fc25.x86_64 #1 SMP
                              Mon Nov 28 18:24:51 UTC 2016 x86_64 x86_64
Alert Count                   5
First Seen                    2016-12-06 12:44:10 EST
Last Seen                     2016-12-06 13:11:06 EST
Local ID                      2fd5b993-12b3-456c-9f0c-3f9e2cd45b4c

Raw Audit Messages
type=AVC msg=audit(1481047866.995:504): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create

SELinux is preventing systemd from create access on the tcp_socket port None.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed create access on the port None tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                port None [ tcp_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          ears.private
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.8.11-300.fc25.x86_64 #1 SMP
                              Mon Nov 28 18:24:51 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-12-06 13:12:05 EST
Last Seen                     2016-12-06 13:12:51 EST
Local ID                      82ebace5-5a00-412b-b867-40aeeb0f81e9

Raw Audit Messages
type=AVC msg=audit(1481047971.483:538): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,tcp_socket,create


SELinux is preventing systemd from setopt access on the tcp_socket port None.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed setopt access on the port None tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                port None [ tcp_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          ears.private
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.8.11-300.fc25.x86_64 #1 SMP
                              Mon Nov 28 18:24:51 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-12-06 13:13:37 EST
Last Seen                     2016-12-06 13:13:37 EST
Local ID                      3e9babde-8f2b-4b91-b12e-face139ce79c

Raw Audit Messages
type=AVC msg=audit(1481048017.82:564): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,tcp_socket,setopt

Comment 2 dan 2016-12-06 22:10:56 UTC
Works in permissive mode and generates same AVC, so switching to selinux-policy team for review.

Comment 3 Andy Wang 2016-12-07 07:31:21 UTC
I'm seeing the exact same problem.  Also having issues mountng some NFS filesystems resulting in rpc.statd errors.

Comment 4 Lukas Vrabec 2016-12-07 10:10:28 UTC
*** Bug 1401179 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2016-12-07 10:10:33 UTC
*** Bug 1402321 has been marked as a duplicate of this bug. ***

Comment 6 Juan Orti Alcaine 2016-12-07 11:04:16 UTC
Description of problem:
My NFS server does not work. This AVC happens when starting nfs-server.service

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.11-300.fc25.x86_64
type:           libreport

Comment 7 Alexander Korsunsky 2016-12-07 11:50:22 UTC
Description of problem:
Ran `dnf update`, with chrome running in the background.

DNF Transaction was:

Installieren:
 kernel                   x86_64 4.8.11-300.fc25                 updates   91 k
 kernel-core              x86_64 4.8.11-300.fc25                 updates   20 M
 kernel-modules           x86_64 4.8.11-300.fc25                 updates   22 M
 kernel-modules-extra     x86_64 4.8.11-300.fc25                 updates  2.2 M
 texlive-graphics-cfg     noarch 6:svn40269-22.fc25              updates   33 k
 texlive-lualibs          noarch 6:svn40370-22.fc25.1            updates  150 k
Aktualisieren:
 bubblewrap               x86_64 0.1.4-3.fc25                    updates   39 k
 flatpak                  x86_64 0.6.14-2.fc25                   updates  620 k
 flatpak-libs             x86_64 0.6.14-2.fc25                   updates  186 k
 hplip                    x86_64 3.16.11-3.fc25                  updates   13 M
 hplip-common             x86_64 3.16.11-3.fc25                  updates  101 k
 hplip-libs               x86_64 3.16.11-3.fc25                  updates  191 k
 java-1.8.0-openjdk-headless
                          x86_64 1:1.8.0.111-4.b16.fc25          updates   32 M
 kernel-headers           x86_64 4.8.11-300.fc25                 updates  1.1 M
 libbluray                x86_64 0.9.3-3.fc25                    updates  149 k
 libevdev                 x86_64 1.5.5-1.fc25                    updates   38 k
 libmad                   x86_64 0.15.1b-19.fc25                 updates   80 k
 libsane-hpaio            x86_64 3.16.11-3.fc25                  updates  119 k
 mesa-dri-drivers         i686   12.0.4-2.fc25                   updates   11 M
 mesa-dri-drivers         x86_64 12.0.4-2.fc25                   updates   11 M
 mesa-filesystem          i686   12.0.4-2.fc25                   updates   23 k
 mesa-filesystem          x86_64 12.0.4-2.fc25                   updates   23 k
 mesa-libEGL              i686   12.0.4-2.fc25                   updates   99 k
 mesa-libEGL              x86_64 12.0.4-2.fc25                   updates   97 k
 mesa-libGL               i686   12.0.4-2.fc25                   updates  179 k
 mesa-libGL               x86_64 12.0.4-2.fc25                   updates  163 k
 mesa-libGLES             x86_64 12.0.4-2.fc25                   updates   32 k
 mesa-libOSMesa           i686   12.0.4-2.fc25                   updates  1.9 M
 mesa-libOSMesa           x86_64 12.0.4-2.fc25                   updates  1.9 M
 mesa-libgbm              i686   12.0.4-2.fc25                   updates   43 k
 mesa-libgbm              x86_64 12.0.4-2.fc25                   updates   43 k
 mesa-libglapi            i686   12.0.4-2.fc25                   updates   59 k
 mesa-libglapi            x86_64 12.0.4-2.fc25                   updates   48 k
 mesa-libwayland-egl      x86_64 12.0.4-2.fc25                   updates   24 k
 mesa-libxatracker        x86_64 12.0.4-2.fc25                   updates  1.4 M
 microcode_ctl            x86_64 2:2.1-13.1.fc25                 updates  780 k
 netcdf                   x86_64 4.4.1.1-1.fc25                  updates  740 k
 ostree                   x86_64 2016.14-2.fc25                  updates  395 k
 policycoreutils          x86_64 2.5-19.fc25                     updates  863 k
 policycoreutils-python   x86_64 2.5-19.fc25                     updates  404 k
 policycoreutils-python-utils
                          x86_64 2.5-19.fc25                     updates  217 k
 policycoreutils-python3  x86_64 2.5-19.fc25                     updates  1.8 M
 python2-rpm              x86_64 4.13.0-6.fc25                   updates  105 k
 python3-rpm              x86_64 4.13.0-6.fc25                   updates  105 k
 realmd                   x86_64 0.16.2-6.fc25                   updates  208 k
 rpcbind                  x86_64 0.2.4-0.fc25                    updates   64 k
 rpm                      x86_64 4.13.0-6.fc25                   updates  517 k
 rpm-build-libs           x86_64 4.13.0-6.fc25                   updates  121 k
 rpm-libs                 x86_64 4.13.0-6.fc25                   updates  303 k
 rpm-plugin-selinux       x86_64 4.13.0-6.fc25                   updates   56 k
 rpm-plugin-systemd-inhibit
                          x86_64 4.13.0-6.fc25                   updates   56 k
 texlive-algorithms       noarch 6:svn38085.0.1-22.fc25.1        updates   34 k
 texlive-amsfonts         noarch 6:svn29208.3.04-22.fc25.1       updates  3.6 M
 texlive-amsmath          noarch 6:svn41561-22.fc25.1            updates   63 k
 texlive-attachfile       noarch 6:svn38830-22.fc25.1            updates   35 k
 texlive-auto-pst-pdf     noarch 6:svn23723.0.6-22.fc25.1        updates   33 k
 texlive-babel            noarch 6:svn40706-22.fc25.1            updates   65 k
 texlive-babelbib         noarch 6:svn25245.1.31-22.fc25.1       updates   64 k
 texlive-base             noarch 6:2016-22.20160520.fc25         updates  1.4 M
 texlive-bera             noarch 6:svn20031.0-22.fc25.1          updates  362 k
 texlive-booktabs         noarch 6:svn40846-22.fc25.1            updates   33 k
 texlive-breakurl         noarch 6:svn29901.1.40-22.fc25.1       updates   34 k
 texlive-caption          noarch 6:svn41409-22.fc25.1            updates   67 k
 texlive-carlisle         noarch 6:svn18258.0-22.fc25.1          updates   43 k
 texlive-chngcntr         noarch 6:svn17157.1.0a-22.fc25.1       updates   32 k
 texlive-colortbl         noarch 6:svn29803.v1.0a-22.fc25.1      updates   34 k
 texlive-csquotes         noarch 6:svn39538-22.fc25.1            updates   50 k
 texlive-currfile         noarch 6:svn40725-22.fc25.1            updates   35 k
 texlive-enumitem         noarch 6:svn24146.3.5.2-22.fc25.1      updates   42 k
 texlive-environ          noarch 6:svn33821.0.3-22.fc25.1        updates   33 k
 texlive-eso-pic          noarch 6:svn37925.2.0g-22.fc25.1       updates   35 k
 texlive-etex-pkg         noarch 6:svn39355-22.fc25.1            updates   36 k
 texlive-etoolbox         noarch 6:svn38031.2.2a-22.fc25.1       updates   39 k
 texlive-fancyvrb         noarch 6:svn18492.2.8-22.fc25.1        updates   44 k
 texlive-filecontents     noarch 6:svn24250.1.3-22.fc25.1        updates   32 k
 texlive-filehook         noarch 6:svn24280.0.5d-22.fc25.1       updates   36 k
 texlive-float            noarch 6:svn15878.1.3d-22.fc25.1       updates   33 k
 texlive-fontspec         noarch 6:svn41262-22.fc25.1            updates   58 k
 texlive-footmisc         noarch 6:svn23330.5.5b-22.fc25.1       updates   37 k
 texlive-fp               noarch 6:svn15878.0-22.fc25.1          updates   53 k
 texlive-geometry         noarch 6:svn19716.5.6-22.fc25.1        updates   40 k
 texlive-graphics         noarch 6:svn41015-22.fc25.1            updates   47 k
 texlive-graphics-def     noarch 6:svn41879-22.fc25              updates   57 k
 texlive-hyperref         noarch 6:svn41396-22.fc25.1            updates  154 k
 texlive-hyphen-base      noarch 6:svn41138-22.fc25.1            updates   53 k
 texlive-ifetex           noarch 6:svn24853.1.2-22.fc25.1        updates   32 k
 texlive-ifluatex         noarch 6:svn41346-22.fc25.1            updates   33 k
 texlive-ifplatform       noarch 6:svn21156.0.4-22.fc25.1        updates   33 k
 texlive-iftex            noarch 6:svn29654.0.2-22.fc25.1        updates   32 k
 texlive-ifxetex          noarch 6:svn19685.0.5-22.fc25.1        updates   32 k
 texlive-index            noarch 6:svn24099.4.1beta-22.fc25.1    updates   43 k
 texlive-kastrup          noarch 6:svn15878.0-22.fc25.1          updates   32 k
 texlive-koma-script      noarch 6:svn41508-22.fc25.1            updates  6.5 M
 texlive-kpathsea         noarch 6:svn41139-22.fc25.1            updates  157 k
 texlive-kpathsea-bin     x86_64 6:svn40473-22.20160520.fc25.1   updates   55 k
 texlive-l3kernel         noarch 6:svn41246-22.fc25.1            updates  147 k
 texlive-l3packages       noarch 6:svn41246-22.fc25.1            updates   51 k
 texlive-latex            noarch 6:svn40218-22.fc25.1            updates  231 k
 texlive-latex-bin        noarch 6:svn41438-22.fc25.1            updates   34 k
 texlive-latex-bin-bin    noarch 6:svn14050.0-22.20160520.fc25.1 updates   31 k
 texlive-latex-fonts      noarch 6:svn28888.0-22.fc25.1          updates   56 k
 texlive-latexconfig      noarch 6:svn40274-22.fc25.1            updates   36 k
 texlive-lib              x86_64 6:2016-22.20160520.fc25         updates  451 k
 texlive-listings         noarch 6:svn37534.1.6-22.fc25.1        updates  159 k
 texlive-lm               noarch 6:svn28119.2.004-22.fc25.1      updates   13 M
 texlive-lualatex-math    noarch 6:svn40621-22.fc25.1            updates   34 k
 texlive-luaotfload       noarch 6:svn40902-22.fc25.1            updates  528 k
 texlive-luaotfload-bin   noarch 6:svn34647.0-22.20160520.fc25.1 updates   31 k
 texlive-luatex           noarch 6:svn40963-22.fc25.1            updates   51 k
 texlive-luatex-bin       x86_64 6:svn41091-22.20160520.fc25.1   updates  3.3 M
 texlive-luatexbase       noarch 6:svn38550-22.fc25.1            updates   36 k
 texlive-marginnote       noarch 6:svn41382-22.fc25.1            updates   34 k
 texlive-marvosym         noarch 6:svn29349.2.2a-22.fc25.1       updates  165 k
 texlive-memoir           noarch 6:svn41203-22.fc25.1            updates  113 k
 texlive-metafont         noarch 6:svn40793-22.fc25.1            updates  133 k
 texlive-metafont-bin     x86_64 6:svn40987-22.20160520.fc25.1   updates  219 k
 texlive-mparhack         noarch 6:svn15878.1.4-22.fc25.1        updates   33 k
 texlive-ms               noarch 6:svn29849.0-22.fc25.1          updates   37 k
 texlive-multido          noarch 6:svn18302.1.42-22.fc25.1       updates   35 k
 texlive-oberdiek         noarch 6:svn41346-22.fc25.1            updates  324 k
 texlive-paralist         noarch 6:svn39247-22.fc25.1            updates   34 k
 texlive-parallel         noarch 6:svn15878.0-22.fc25.1          updates   34 k
 texlive-pdftex           noarch 6:svn41149-22.fc25.1            updates   72 k
 texlive-pdftex-bin       x86_64 6:svn40987-22.20160520.fc25.1   updates  395 k
 texlive-pdftex-def       noarch 6:svn22653.0.06d-22.fc25.1      updates   45 k
 texlive-pgf              noarch 6:svn40966-22.fc25.1            updates  821 k
 texlive-psnfss           noarch 6:svn33946.9.2a-22.fc25.1       updates   59 k
 texlive-pst-3d           noarch 6:svn17257.1.10-22.fc25.1       updates   35 k
 texlive-pst-coil         noarch 6:svn37377.1.07-22.fc25.1       updates   35 k
 texlive-pst-eps          noarch 6:svn15878.1.0-22.fc25.1        updates   34 k
 texlive-pst-fill         noarch 6:svn15878.1.01-22.fc25.1       updates   35 k
 texlive-pst-grad         noarch 6:svn15878.1.06-22.fc25.1       updates   35 k
 texlive-pst-math         noarch 6:svn34786.0.63-22.fc25.1       updates   36 k
 texlive-pst-node         noarch 6:svn40743-22.fc25.1            updates   58 k
 texlive-pst-ovl          noarch 6:svn40873-22.fc25.1            updates   33 k
 texlive-pst-pdf          noarch 6:svn31660.1.1v-22.fc25.1       updates   39 k
 texlive-pst-pdf-bin      noarch 6:svn7838.0-22.20160520.fc25.1  updates   31 k
 texlive-pst-plot         noarch 6:svn41242-22.fc25.1            updates   54 k
 texlive-pst-text         noarch 6:svn15878.1.00-22.fc25.1       updates   35 k
 texlive-pst-tools        noarch 6:svn34067.0.05-22.fc25.1       updates   36 k
 texlive-pst-tree         noarch 6:svn24142.1.12-22.fc25.1       updates   38 k
 texlive-pstricks         noarch 6:svn41321-22.fc25.1            updates  114 k
 texlive-pstricks-add     noarch 6:svn40744-22.fc25.1            updates   56 k
 texlive-qstest           noarch 6:svn15878.0-22.fc25.1          updates   36 k
 texlive-sauerj           noarch 6:svn15878.0-22.fc25.1          updates   36 k
 texlive-setspace         noarch 6:svn24881.6.7a-22.fc25.1       updates   38 k
 texlive-showexpl         noarch 6:svn32737.v0.3l-22.fc25.1      updates   35 k
 texlive-soul             noarch 6:svn15878.2.4-22.fc25.1        updates   37 k
 texlive-subfig           noarch 6:svn15878.1.3-22.fc25.1        updates   38 k
 texlive-tetex            noarch 6:svn41059-22.fc25.1            updates  117 k
 texlive-tetex-bin        noarch 6:svn36770.0-22.20160520.fc25.1 updates   32 k
 texlive-tex-ini-files    noarch 6:svn40533-22.fc25              updates   35 k
 texlive-texconfig        noarch 6:svn40768-22.fc25.1            updates   46 k
 texlive-texconfig-bin    noarch 6:svn29741.0-22.20160520.fc25.1 updates   31 k
 texlive-texlive.infra    noarch 6:svn41280-22.fc25.1            updates  163 k
 texlive-texlive.infra-bin
                          x86_64 6:svn40312-22.20160520.fc25.1   updates   31 k
 texlive-thumbpdf         noarch 6:svn34621.3.16-22.fc25.1       updates   52 k
 texlive-thumbpdf-bin     noarch 6:svn6898.0-22.20160520.fc25.1  updates   31 k
 texlive-tipa             noarch 6:svn29349.1.3-22.fc25.1        updates  2.8 M
 texlive-tools            noarch 6:svn40934-22.fc25.1            updates   77 k
 texlive-trimspaces       noarch 6:svn15878.1.1-22.fc25.1        updates   31 k
 texlive-ucharcat         noarch 6:svn38907-22.fc25.1            updates   32 k
 texlive-underscore       noarch 6:svn18261.0-22.fc25.1          updates   35 k
 texlive-unicode-math     noarch 6:svn38462-22.fc25.1            updates   76 k
 texlive-url              noarch 6:svn32528.3.4-22.fc25.1        updates   36 k
 texlive-varwidth         noarch 6:svn24104.0.92-22.fc25.1       updates   35 k
 texlive-xcolor           noarch 6:svn41044-22.fc25.1            updates   49 k
 texlive-xkeyval          noarch 6:svn35741.2.7a-22.fc25.1       updates   47 k
 texlive-xunicode         noarch 6:svn30466.0.981-22.fc25.1      updates   58 k
 texlive-zapfding         noarch 6:svn31835.0-22.fc25.1          updates   79 k
Entfernen:
 kernel                   x86_64 4.8.8-200.fc24                  @updates   0  
 kernel-core              x86_64 4.8.8-200.fc24                  @updates  52 M
 kernel-modules           x86_64 4.8.8-200.fc24                  @updates  22 M
 kernel-modules-extra     x86_64 4.8.8-200.fc24                  @updates 2.0 M

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 8 Lukas Vrabec 2016-12-07 11:53:09 UTC
Guys, 
Could you test it with following package? 
http://koji.fedoraproject.org/koji/buildinfo?buildID=823463

THanks.

Comment 9 Lukas Vrabec 2016-12-07 12:15:55 UTC
*** Bug 1402067 has been marked as a duplicate of this bug. ***

Comment 10 Steve Dickson 2016-12-07 13:40:36 UTC
*** Bug 1401815 has been marked as a duplicate of this bug. ***

Comment 11 dan 2016-12-07 13:46:37 UTC
@Lukas, testing, so far so good.  Thank you for the quick response!

Comment 12 bram1253.skype 2016-12-07 14:48:47 UTC
Description of problem:
Console input:
"su"
"dnf upgrade"

It upgraded succesfully but during the upgrade I got an error about systemd.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 13 Ferry Huberts 2016-12-07 15:40:01 UTC
Does not work for me.
And I can't even restart rpcbind.socket with selinux in permissive mode.

Downgraded again. Setting permissive mode allows me to restart rpcbind.socket, and then my nfs shares are mounted ok by systemd

Comment 14 Mattia Verga 2016-12-07 16:02:45 UTC
selinux-policy-3.13.1-225.2.fc25 does not work for me:

dic 07 16:55:55 Fomalhaut audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
dic 07 16:55:55 Fomalhaut systemd[1]: rpcbind.socket: Failed to listen on sockets: Permission denied
dic 07 16:55:55 Fomalhaut systemd[1]: Failed to listen on RPCbind Server Activation Socket.

Comment 15 Mattia Verga 2016-12-07 16:23:02 UTC
The problem is rpcbind-0.2.4-0.fc25 which was released stable yesterday, after downgrading it ('dnf downgrade rpcbind') NFS is working again.

Comment 16 Ferry Huberts 2016-12-07 16:31:40 UTC
(In reply to Mattia Verga from comment #15)
> The problem is rpcbind-0.2.4-0.fc25 which was released stable yesterday,
> after downgrading it ('dnf downgrade rpcbind') NFS is working again.

confirmed

Comment 17 Ken Fallon 2016-12-07 19:17:14 UTC
Description of problem:
After dnf -y upgrade, and reboot systemd is blocked by selinux

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.11-300.fc25.x86_64
type:           libreport

Comment 18 dan 2016-12-07 20:03:35 UTC
Still one issue which prevents rpcbind.socket from succeeding:

SELinux is preventing systemd from create access on the unix_stream_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          ears.private
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.2.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ears.private
Platform                      Linux ears.private 4.8.11-300.fc25.x86_64 #1 SMP
                              Mon Nov 28 18:24:51 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-12-07 14:59:13 EST
Last Seen                     2016-12-07 14:59:13 EST
Local ID                      16bfe9c4-86f0-4c53-91bc-cc57caa747a5

Raw Audit Messages
type=AVC msg=audit(1481140753.44:260): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create

Comment 19 dan 2016-12-07 20:14:35 UTC
systemd also wants:

setopt access on the Unknown unix_stream_socket
bind access on the Unknown unix_stream_socket 
listen access on the rpcbind.sock unix_stream_socket
create access on the port None tcp_socket
setopt access on the port None tcp_socket
bind access on the port None tcp_socket 
listen access on the port None tcp_socket
create access on the port None udp_socket
setopt access on the port None udp_socket
bind access on the port None udp_socket

Comment 20 Eric Blake 2016-12-07 22:30:49 UTC
Description of problem:
My NFS drive was not automounted on boot; trying to mount it manually mentioned checking 'journalctl -xe', and in that output, I saw that rpc-statd failed to start due to a dependency (no idea what dependency) and a SELinux failure which I presume may be related

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.11-300.fc25.x86_64
type:           libreport

Comment 21 liam 2016-12-08 01:32:39 UTC
Description of problem:
Appeared to coincide with opening my browser (which I hadn't opened since it was updated).

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 22 Lukas Vrabec 2016-12-08 12:09:22 UTC
Guys could you try following build? 
http://koji.fedoraproject.org/koji/buildinfo?buildID=823463

Thanks.

Comment 23 Eric Blake 2016-12-08 14:37:16 UTC
I started with this combination, where I had to have SELinux permissive to mount:

rpcbind-0.2.3-11.rc1.fc25.x86_64
selinux-policy-3.13.1-224.fc25.noarch

Then upgraded selinux per your recommendation, and was able to turn SELinux back to enforcing and mount without issues:

rpcbind-0.2.3-11.rc1.fc25.x86_64
selinux-policy-3.13.1-224.fc25.noarch

I then upgraded rpcbind, to this combination (SELinux still enforcing):

rpcbind-0.2.4-0.fc25.x86_64
selinux-policy-3.13.1-224.fc25.noarch

and my first attempt at mounting complained:

# mount /mnt/backup/
A dependency job for rpc-statd.service failed. See 'journalctl -xe' for details.

but must have done something, because the second try (with no intermediate commands, just time elapsed) complained differently:

# mount /mnt/backup/
mount.nfs: /mnt/backup is busy or already mounted

thereafter, I'm able to unmount and remount with SELinux enforcing without complaint. I'm going to attempt a reboot now to see if things automount, but will only add another comment if things don't work as expected - so if this is my last comment, it looks like you have got things back into working order.

Comment 24 Eric Blake 2016-12-08 14:46:02 UTC
nope, on reboot, automount still failed. Trying manual mount complained:

# mount /mnt/backup/
A dependency job for rpc-statd.service failed. See 'journalctl -xe' for details.
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.

journalctl reports:

Dec 08 08:43:50 red systemd[1]: Starting Preprocess NFS configuration...
-- Subject: Unit nfs-config.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nfs-config.service has begun starting up.
Dec 08 08:43:50 red audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
Dec 08 08:43:50 red systemd[1]: rpcbind.socket: Failed to listen on sockets: Permission denied
Dec 08 08:43:50 red systemd[1]: Failed to listen on RPCbind Server Activation Socket.
-- Subject: Unit rpcbind.socket has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit rpcbind.socket has failed.
-- 
-- The result is failed.
Dec 08 08:43:50 red systemd[1]: Dependency failed for NFS status monitor for NFSv2/3 locking..
-- Subject: Unit rpc-statd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit rpc-statd.service has failed.
-- 
-- The result is dependency.
Dec 08 08:43:50 red systemd[1]: rpc-statd.service: Job rpc-statd.service/start failed with result 'dependency'.
Dec 08 08:43:50 red rpc.statd[3466]: Version 1.3.3 starting
Dec 08 08:43:50 red audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 08 08:43:50 red audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 08 08:43:50 red rpc.statd[3466]: Flags: TI-RPC
Dec 08 08:43:50 red systemd[1]: Started Preprocess NFS configuration.
-- Subject: Unit nfs-config.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nfs-config.service has finished starting up.
-- 
-- The start-up result is done.
Dec 08 08:43:50 red rpc.statd[3466]: Failed to register (statd, 1, udp): svc_reg() err: RPC: Remote system error - Connection refused
Dec 08 08:43:50 red rpc.statd[3466]: Failed to register (statd, 1, tcp): svc_reg() err: RPC: Remote system error - Connection refused
Dec 08 08:43:50 red rpc.statd[3466]: Failed to register (statd, 1, udp6): svc_reg() err: RPC: Remote system error - Connection refused
Dec 08 08:43:50 red rpc.statd[3466]: Failed to register (statd, 1, tcp6): svc_reg() err: RPC: Remote system error - Connection refused
Dec 08 08:43:50 red rpc.statd[3466]: failed to create RPC listeners, exiting

Comment 25 Eric Blake 2016-12-08 14:49:19 UTC
as long as I temporarily turn selinux to permissive, then do my first NFS mount, I can restore it to enforcing thereafter and make further mounts. So it is rpc failing to start under enforcing; but once it starts it stays up and all other aspects of rpc and nfs work under enforcing.

Comment 26 Lukas Vrabec 2016-12-08 14:53:01 UTC
Eric, 
What is output of:
# ls -Z /usr/bin/rpcbind 

Thanks.

Comment 27 dan 2016-12-08 14:55:15 UTC
Getting same results as Eric.

output of ls -Z /usr/bin/rpcbind

system_u:object_r:bin_t:s0 /usr/bin/rpcbind

Comment 28 Eric Blake 2016-12-08 15:08:37 UTC
# ls -Z /usr/bin/rpcbind 
system_u:object_r:bin_t:s0 /usr/bin/rpcbind

and restorecon doesn't change it.  I already ran 'restorecon -rv /etc' before I rebooted, and I remember it fixed a few things, but I no longer have the list of what it fixed.

Comment 29 Lukas Vrabec 2016-12-08 15:08:38 UTC
[root@fraw ~]# ps -efZ | grep rpc
system_u:system_r:rpcbind_t:s0  rpc        569     1  0 16:07 ?        00:00:00 /usr/bin/rpcbind -w -f
system_u:system_r:kernel_t:s0   root       572     2  0 16:07 ?        00:00:00 [rpciod]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1133 1112  0 16:07 pts/0 00:00:00 grep --color=auto rpc
[root@fraw ~]# ls -Z /usr/bin/rpcbind
system_u:object_r:rpcbind_exec_t:s0 /usr/bin/rpcbind
[root@fraw ~]# rpm -q selinux-policy
selinux-policy-3.13.1-225.1.fc25.noarch

This is really weird. It looks fine on my system.

Comment 30 Eric Blake 2016-12-08 15:11:48 UTC
# ps -efZ | grep rpc
system_u:system_r:kernel_t:s0   root      1081     2  0 08:41 ?        00:00:00 [rpciod]
system_u:system_r:unconfined_service_t:s0 rpc 3597 1  0 08:47 ?        00:00:00 /usr/bin/rpcbind -w -f
system_u:system_r:rpcd_t:s0     rpcuser   3598     1  0 08:47 ?        00:00:00 /usr/sbin/rpc.statd --no-notify
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5045 3212  0 09:09 pts/0 00:00:00 grep --color=auto rpc
# ls -Z /usr/bin/rpcbind 
system_u:object_r:bin_t:s0 /usr/bin/rpcbind
# restorecon -nrv /usr/bin/
# rpm -q selinux-policy
selinux-policy-3.13.1-225.2.fc25.noarch

[where rpc was started with selinux permissive]

Comment 31 Dmitry McArov 2016-12-08 15:16:31 UTC
Description of problem:
After installin some xfce packets. List of packets:
xfce4-pulseaudio-plugin-0.2.4-5.fc25.x86_64
xfce4-xkb-plugin-0.7.1-4.fc24.x86_64
xfce4-notes-plugin-1.8.1-2.fc24.x86_64
xfce4-about-4.12.1-5.fc25.x86_64
libxfce4util-4.12.1-3.fc24.x86_64
xfce4-session-4.12.1-9.fc25.x86_64
xfce4-session-engines-4.12.1-9.fc25.x86_64
xfce4-datetime-plugin-0.7.0-1.fc25.x86_64
xfce4-notifyd-0.3.4-1.fc25.x86_64
xfce4-screenshooter-plugin-1.8.2-6.fc24.x86_64
xfce4-settings-4.12.1-1.fc25.x86_64
f25-backgrounds-extras-xfce-25.1.1-2.fc25.noarch
xfce4-screenshooter-1.8.2-6.fc24.x86_64
xfce4-places-plugin-1.7.0-4.fc24.x86_64
xfce-theme-manager-0.3.6-2.fc24.x86_64
xfce4-panel-4.12.0-5.fc24.x86_64
xfce-polkit-0.2-8.fc25.x86_64
greybird-xfce4-notifyd-theme-3.20.0-2.fc25.noarch
xfce4-power-manager-1.6.0-4.fc25.x86_64
gtk-xfce-engine-3.2.0-3.fc24.x86_64
xfce4-mixer-4.10.0-10.fc24.x86_64
xfce4-eyes-plugin-4.4.5-1.fc25.x86_64
xfce4-terminal-0.8.1-2.fc25.x86_64
xfce4-taskmanager-1.1.0-5.fc24.x86_64
libxfce4ui-4.12.1-5.fc25.x86_64
xfce4-appfinder-4.12.0-5.fc24.x86_64
f25-backgrounds-xfce-25.1.1-2.fc25.noarch
xfce4-sensors-plugin-1.2.6-1.fc25.x86_64

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 32 Lukas Vrabec 2016-12-08 15:25:15 UTC
Guys, 
I see the issue. Will provide new build ASAP

Comment 33 Charlie Brady 2016-12-08 15:29:01 UTC
Description of problem:
Just popped up during or just after updating a fedora 25 system.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

Comment 34 Lukas Vrabec 2016-12-08 17:58:01 UTC
Guys, 
Could you test it with following build? 
http://koji.fedoraproject.org/koji/buildinfo?buildID=823721

Thanks.

Comment 35 Alexander Ploumistos 2016-12-08 18:40:47 UTC
(In reply to Lukas Vrabec from comment #34)
> Guys, 
> Could you test it with following build? 
> http://koji.fedoraproject.org/koji/buildinfo?buildID=823721
> 
> Thanks.

That takes care of the rpcbind.lock messages at boot and matchpathcon seems happy.

Comment 36 Eric Blake 2016-12-08 18:43:14 UTC
A reboot brought up my NFS volumes without issue. Thanks!
I wonder if bug 1402490 is the same issue

Comment 37 roland 2016-12-08 18:52:12 UTC
Description of problem:
After system install.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 38 Adam Williamson 2016-12-08 18:52:43 UTC
*** Bug 1402490 has been marked as a duplicate of this bug. ***

Comment 39 dan 2016-12-08 20:53:14 UTC
Clean boot, no avc's on boot, rpc binds to socket on both ipv4 and ipv6.  Successfully resolved issues for me.

Comment 40 Lukas Vrabec 2016-12-09 13:10:30 UTC
Dan, 
Thank you for testing.

Comment 41 Fedora Update System 2016-12-09 13:47:35 UTC
selinux-policy-3.13.1-225.3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f24b3ddc6a

Comment 42 Sergei LITVINENKO 2016-12-09 20:12:58 UTC
Description of problem:
maybe, update caused issue

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.1.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 43 Brendan Shephard 2016-12-09 23:46:43 UTC
Description of problem:
$ systemctl start rpcbind


selinux is blocking access to the socket required to start the rpcbind.socket. Error is still present when selinux is set to permissive.

Version-Release number of selected component:
selinux-policy-3.13.1-225.1.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.11-300.fc25.x86_64
type:           libreport

Comment 44 Brendan Shephard 2016-12-09 23:52:11 UTC
(In reply to Brendan Shephard from comment #43)
> Description of problem:
> $ systemctl start rpcbind
> 
> 
> selinux is blocking access to the socket required to start the
> rpcbind.socket. Error is still present when selinux is set to permissive.
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-225.1.fc25.noarch
> 
> Additional info:
> reporter:       libreport-2.8.0
> hashmarkername: setroubleshoot
> kernel:         4.8.11-300.fc25.x86_64
> type:           libreport

The selinux permissive statement is incorrect. The socket starts successfully when selinux is permissive - my apologies.

Comment 45 Fedora Update System 2016-12-10 03:58:24 UTC
selinux-policy-3.13.1-225.3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f24b3ddc6a

Comment 46 Abdallh Samy 2016-12-11 09:51:46 UTC
Description of problem:
Hey   dev team  I've found   a bug  in  fedora  25  ,
Do you you have  a bug bounty programme  ?   :) 
I am a bug catcher ( pen tester)

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.1.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 47 EgorGrishin 2016-12-12 06:36:08 UTC
Description of problem:
This message was shown when i updating system(dnf update)

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.1.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 48 Justin W. Flory (he/him) 2016-12-12 07:37:56 UTC
Description of problem:
Was running a system upgrade (sudo dnf upgrade), but didn't catch when this was triggered or for what package.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.1.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 49 Fedora Update System 2016-12-12 23:58:51 UTC
selinux-policy-3.13.1-225.3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 50 Adam Williamson 2016-12-13 22:48:55 UTC
Abdallh: unfortunately Fedora doesn't have a bug bounty program, or I would've retired to a private island years ago ;)

Comment 51 mike.oxbigg 2016-12-14 01:40:31 UTC
Description of problem:
if i am inactive on this system for more that 1 or 2 min it lockes up on me.  

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.12-300.fc25.x86_64
type:           libreport

Comment 52 Ely Castellano 2017-01-03 12:29:49 UTC
Description of problem:
only run 'yum update'

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.3.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 53 Shaun Assam 2017-01-04 20:13:50 UTC
Description of problem:
- Performed updates from fresh install.
- SELinux alert popped-up shortly after selinux-policy updated to selinux-policy-3.13.1-225.3.fc25.noarch.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.3.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 54 abenkovskii 2017-01-07 15:11:42 UTC
Description of problem:
I installed Fedora on this computer today. This is the first time I booted it after the installation. I started a dnf upgrade, locked the sesion and when I logged back in I saw a notification about this SELinux issue.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.3.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 55 raynaud 2017-01-08 15:52:41 UTC
Description of problem:
Fresh install of Fedora 25 > dnf upgrade

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.3.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 56 lucboari 2017-01-11 03:28:54 UTC
Description of problem:
Installed and enabled this extension: https://extensions.gnome.org/extension/18/native-window-placement/

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.3.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 57 Reginald Singh 2017-01-11 13:52:06 UTC
Description of problem:
updated the system, a notification appeared that was to be this!

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 58 Jiri Hodal - Monte 2017-01-11 18:04:54 UTC
Description of problem:
It happend after login to Gnome

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.15-300.fc25.i686+PAE
type:           libreport

Comment 59 awbruch 2017-01-14 14:44:50 UTC
Description of problem:
Showed up on first boot directly after clean install of Fedora 25. Has not happened on subsequent boots

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.16-300.fc25.x86_64
type:           libreport

Comment 60 Xederk 2017-01-17 16:56:55 UTC
Description of problem:
Error del evolution,  al sincronizar contactos/email de gmail la cuenta se configuró al hacer la instalación inicial.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 61 Hassan Aminfar 2017-01-18 04:57:12 UTC
Description of problem:
after update packages by "dnf update" at new installation

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.3-200.fc25.x86_64
type:           libreport

Comment 62 Philippos Papaphilippou 2017-01-20 20:41:17 UTC
Description of problem:
An old and a new Fedora 25 installation suddenty failed to boot. After disabling SElinux from recovery terminal, it finally booted. Now in permissive mode it outputs this kinds of errors

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.16-300.fc25.x86_64
type:           libreport

Comment 63 Gerardo Rosales 2017-01-24 14:40:12 UTC
Description of problem:
After installation, updated the system. When going in the middle of the update process got the message alert.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 64 Lubota Joao 2017-01-29 17:03:08 UTC
Description of problem:
When I updated my system it appears in top of my terminal window.

Just it.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 65 DIEGO ARAGON 2017-02-01 01:59:17 UTC
Description of problem:
Me encontraba realizando una actualización del sistema por medio del comando dnf -y update y de repente salió el aviso

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 66 tobrien3488 2017-02-11 14:53:04 UTC
Description of problem:
sudo dnf update after fresh install. Please help. I love Linux but Im getting frustrated... wont give up though!

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 67 Jorge Ernesto Gomez Giraldo 2017-02-12 15:37:30 UTC
Description of problem:
Me alerto el sistema de bugs

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 68 Thiago 2017-02-17 01:49:39 UTC
Description of problem:
falha durante atualizacao do sistema

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 69 stefan.oscarsson.gm 2017-02-23 10:59:23 UTC
Description of problem:
Vid installationen när jag körde dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 70 Zoltan Kozma 2017-02-26 18:33:14 UTC
Description of problem:
Update to kernel version 4.9.11 along with the rest of the system via the Software application that bullies the user to update, 
and see your broadcom-wl and akmod-wl driver stop working all of a sudden. 
Then you realize that the recompile step failed you do it manually via akmods
Then modprobe fails and you start adding policies to allow you to modprobe it. Then that works
And then you need to keep going adding policies to allow systemd to load it too. 
This is horribly broken compatibility. All the selinux policy packages are the default that came with the system and
have allowed this module to work.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.11-200.fc25.x86_64
type:           libreport

Comment 71 Zoltan Kozma 2017-02-26 18:36:41 UTC
(In reply to Zoltan Kozma from comment #70)
> Description of problem:
> Update to kernel version 4.9.11 along with the rest of the system via the
> Software application that bullies the user to update, 
> and see your broadcom-wl and akmod-wl driver stop working all of a sudden. 
> Then you realize that the recompile step failed you do it manually via akmods
> Then modprobe fails and you start adding policies to allow you to modprobe
> it. Then that works
> And then you need to keep going adding policies to allow systemd to load it
> too. 
> This is horribly broken compatibility. All the selinux policy packages are
> the default that came with the system and
> have allowed this module to work.
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-224.fc25.noarch
> 
> Additional info:
> reporter:       libreport-2.8.0
> hashmarkername: setroubleshoot
> kernel:         4.9.11-200.fc25.x86_64
> type:           libreport

And also the setroubleshoot bugzilla submit app is broken if this thinks that the nfs.service has anything to do with my bug. This ticket is closed for some reason whereas the issue clearly stands.

Comment 72 Bruno Goncalves 2017-02-27 15:36:42 UTC
The problem seems to happen with selinux-policy-3.13.1-225.6.fc25.noarch


# rpm -q selinux-policy
selinux-policy-3.13.1-225.6.fc25.noarch

# /usr/sbin/sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30



# mount -tnfs <nfs_share> /tmp
A dependency job for rpc-statd.service failed. See 'journalctl -xe' for details.

mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.

[root@hostname]# journalctl -xe
-- The result is failed.
Feb 27 10:13:38 hostname systemd[1]: Dependency failed for NFS status monitor for NFSv2/3 locking..
-- Subject: Unit rpc-statd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit rpc-statd.service has failed.
-- 
-- The result is dependency.
Feb 27 10:13:38 hostname systemd[1]: rpc-statd.service: Job rpc-statd.service/start failed with result 'dependency'.
Feb 27 10:13:38 hostname systemd[1]: Starting Preprocess NFS configuration...
-- Subject: Unit nfs-config.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nfs-config.service has begun starting up.
Feb 27 10:13:38 hostname rpc.statd[13090]: Version 2.1.1 starting
Feb 27 10:13:38 hostname rpc.statd[13090]: Flags: TI-RPC
Feb 27 10:13:38 hostname systemd[1]: Started Preprocess NFS configuration.
-- Subject: Unit nfs-config.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit nfs-config.service has finished starting up.
-- 
-- The start-up result is done.
Feb 27 10:13:38 hostname audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/li
Feb 27 10:13:38 hostname audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib
Feb 27 10:13:38 hostname rpc.statd[13090]: Failed to register (statd, 1, udp): svc_reg() err: RPC: Remote system error - Connection refused
Feb 27 10:13:38 hostname rpc.statd[13090]: Failed to register (statd, 1, tcp): svc_reg() err: RPC: Remote system error - Connection refused
Feb 27 10:13:38 hostname rpc.statd[13090]: Failed to register (statd, 1, udp6): svc_reg() err: RPC: Remote system error - Connection refused
Feb 27 10:13:38 hostname rpc.statd[13090]: Failed to register (statd, 1, tcp6): svc_reg() err: RPC: Remote system error - Connection refused
Feb 27 10:13:38 hostname rpc.statd[13090]: failed to create RPC listeners, exiting
Feb 27 10:13:41 hostname dbus-daemon[2715]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.10' (uid=0 pid=2705 comm="/usr/sbin/sedispa
Feb 27 10:13:42 hostname dbus-daemon[2715]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Feb 27 10:13:42 hostname setroubleshoot[13126]: SELinux is preventing systemd from create access on the unix_stream_socket Unknown. For complete SELinux messages. run sealer
Feb 27 10:13:42 hostname python3[13126]: SELinux is preventing systemd from create access on the unix_stream_socket Unknown.
                                                                               
                                                                               *****  Plugin catchall (100. confidence) suggests   **************************
                                                                               
                                                                               If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
                                                                               Then you should report this as a bug.
                                                                               You can generate a local policy module to allow this access.
                                                                               Do
                                                                               allow this access for now by executing:
                                                                               # ausearch -c 'systemd' --raw | audit2allow -M my-systemd
                                                                               # semodule -X 300 -i my-systemd.pp
                                                                               
Feb 27 10:13:44 hostname kernel: EXT4-fs (dm-46): mounted filesystem with ordered data mode. Opts: (null)
Feb 27 10:13:49 hostname kernel: EXT4-fs (dm-45): mounted filesystem with ordered data mode. Opts: (null)
Feb 27 10:13:55 hostname kernel: EXT4-fs (dm-44): mounted filesystem with ordered data mode. Opts: (null)
Feb 27 10:14:01 hostname kernel: EXT4-fs (dm-43): mounted filesystem with ordered data mode. Opts: (null)

[root@hostname ~]# ausearch -c 'systemd' --raw 
type=SERVICE_START msg=audit(1488208111.268:1270): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1488208418.872:1280): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1488208418.872:1281): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nfs-config comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1488208418.852:1279): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

Comment 73 Jordan 2017-02-28 03:09:14 UTC
Description of problem:
Fresh install. Running dnf update for the first time.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 74 Ferdinand Badescu 2017-02-28 05:53:52 UTC
Description of problem:
1. Installed Fedora 25 from scratch, on an non-EFI disk.
2. Started the update process: in a CLI, typed "sudo yum update -y".
3. During the update, received the SELinux alert.
4. Let the update process finish as it is. Did not generate a local policy module. Did not execute the commands listed in the SELinux Alert Browser.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 75 Marek Michał Mazur 2017-03-01 17:35:25 UTC
Description of problem:
This was shown during dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 76 Joe Zeff 2017-03-03 07:59:10 UTC
Description of problem:
I had just installed Fedora 25 .86_64 and was doing my first update when this happened.  Aside from that, the system was simply sitting here when it happened.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 77 Evgeny.D 2017-03-04 21:31:35 UTC
Description of problem:
updating my Fedora packages in terminal from new-installed (from Compiz-Mate liveCD) to fresh versions by "dnf update" command.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 78 Frank Daniel 2017-03-06 19:48:43 UTC
Description of problem:
I just installed Fedora 25.  I have installed both my hl2270dw and hl3045cn brother printers.  I also installed LAMP for 25.
I've been trying to find out why when accessing/executing a php file, using the IP address works, but using localhost doesn't

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 79 Fehmi Demiralp 2017-03-08 20:00:26 UTC
Description of problem:
After a fresh installation of Fedora 25, the third party repositories, RPM Fusion, livna and flash plugin from adobe's website were added. (just repositories without enabling any packages).
And than ``dnf upgrade -y`` is applied.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 80 John Murtagh 2017-03-09 20:04:36 UTC
Description of problem:
Hit this issue while simply removing the charger from my laptop. Im not sure how reproducable this issue is. 

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.13-200.fc25.x86_64
type:           libreport

Comment 81 Douglas 2017-03-11 02:11:17 UTC
Description of problem:
I was executing the initial upgrade of packages right after the installation of Fedora.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 82 Lukas Vrabec 2017-03-14 15:59:07 UTC
Could somebody reproduce the scenario and attach output of:
$ ps -efZ | grep unconfined_service_t

Thanks.

Comment 83 lickel.gaetan 2017-03-21 20:26:56 UTC
Description of problem:
New installation of Fedora Workstation, with the last version of the ISO. I just did a dnf update.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 84 Joe Zeff 2017-03-22 16:12:37 UTC
Description of problem:
I had just installed F 25 Xfce Spin and was doing my first update, overnight, when this happened.  Otherwise, no idea

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 85 Joe Zeff 2017-03-22 16:16:32 UTC
The first report I made was from a running, updatable install on a 32 GB flash drive.  This one is on a regular hard drive.  Also, this hasn't happened again on the flash drive even though I've updated it several times.  It may be something that only happens on a new install.

Comment 86 Trevor Clark 2017-03-23 15:45:52 UTC
Description of problem:
This alert came up while updating after a fresh install of Fedora 25

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 87 yroy 2017-04-07 14:05:47 UTC
Description of problem:
Again.... again.... again the fuckin selinux

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.8-200.fc25.x86_64
type:           libreport

Comment 88 Adam Williamson 2017-04-07 21:52:47 UTC
Well, of course this will happen every time you start from a fresh, non-network install, because the pre-fix selinux-policy will be installed until you update...

Comment 89 nholloway2007 2017-04-08 02:02:00 UTC
Description of problem:
I installed LXD via the copr respository, and ran 'systemctl start lxd.' LXD started successfully, but generated this error.

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.6-200.fc25.x86_64
type:           libreport

Comment 90 Manu 2017-04-17 03:38:22 UTC
Description of problem:
Estaba actualizando mi sistema, cuando me aparecio la alerta de selinux.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 91 Shaun Assam 2017-04-20 18:11:45 UTC
Description of problem:
- Appeared after reboot from a fresh install of Fedora 25 x86_64 Workstation with all updates applied and selinux-policy upgraded to new selinux-policy-3.13.1-225.13.fc25.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.11-200.fc25.x86_64
type:           libreport

Comment 92 bobbro92 2017-04-24 20:37:21 UTC
Description of problem:
Fresh install of fedora 25 followed by sudo dnf update. Date 2017-04-24

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 93 charles.hains 2017-05-06 04:03:01 UTC
Description of problem:
lorsque j'ai fait la premiere mise a jour avec le terminal en utilisant la ligne de code «sudo dnf update» cette infraction c'est produite apres le telechergement ces teminer les mise a jours ont commencer durant la mise a jour du sel linux cette erreur est apparue.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 94 Manu 2017-05-06 09:17:48 UTC
Description of problem:
Este error aparecio mientras actualizaba mi sistema operativo (Fedora 25) en una Macbook Pro (mid 2010).

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 95 omidka 2017-05-09 14:24:52 UTC
Description of problem:
Hi
im trying to Update my yum -y update in terminal and when i wating for installing upgarading this error is show in my screen

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.13-200.fc25.x86_64
type:           libreport

Comment 96 David Novák 2017-05-09 19:43:48 UTC
Description of problem:
Happened during 'dnf update' after clean installation of Fedora 25.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 97 Youssef 2017-05-16 17:17:32 UTC
Description of problem:
I had just done a fresh install of Fedora 25 Workstation and was running updates for the first time (via dnf). The SELinux denial notification appeared while the updates were running. I was not doing anything else on the computer at the time.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 98 fuhanghang 2017-05-24 03:26:57 UTC
Description of problem:
dnf install gnome-tweak-tool

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 99 Maxim Bogdanov 2017-05-24 17:56:52 UTC
Description of problem:
system update

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 100 Sidharth 2017-05-30 02:00:52 UTC
Description of problem:
I have recently upgraded my system to the newest kernel after that I have received this error pop-up.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 101 superwaffle 2017-06-01 00:20:44 UTC
Description of problem:
I just installed Fedora and proceeded to run
yum update as root
1394 updates where installed, when i came back the SELinux troubleshooter found about it.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 102 K4M3K 2017-06-04 03:33:50 UTC
Description of problem:
fresh efi install, immediate upgrade through dnf. 
has happened with every fresh install and apgrade
with 4.8 to 4.10 and going from 4.8 to 4.11

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.11.3-200.fc25.x86_64
type:           libreport

Comment 103 Manu 2017-06-05 03:27:35 UTC
Description of problem:
Mientras se actualizaba mi sistema operativo, lo estaba reinstalando y luego precedi a actualizar y es en ese momento cuando me aparece esta alerta.
Macbook PRO.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 104 Raffaello Bertini 2017-06-06 08:48:55 UTC
Description of problem:
dnf upgrade after fresh installation of fedora25

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 105 ricky.tigg 2017-06-08 07:17:07 UTC
Description of problem:
System is updating. Another process (dnf install yumex-dnf -y) is waiting for process with pid 2496 to finish. The reason may be that it contains the package dnfdaemon-selinux noarch 0.3.16-3.fc25 fto be downloaded.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 106 Dan Robinson 2017-06-13 02:46:56 UTC
Description of problem:
Denial happened during upgrading on a fresh install in VirtualBox

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 107 Todd Kaltenborn 2017-06-14 01:37:27 UTC
Description of problem:
This happened while updating system after fresh install of Fedora Wrksta 25.
I stepped away and when I returned, this notification was on the screen.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 108 j.g.wesseling 2017-06-23 07:43:18 UTC
Description of problem:
dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 109 Daniel 2017-06-25 05:08:26 UTC
Description of problem:
while installing packages from dnf upgrade.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 110 Douglas 2017-07-02 12:39:18 UTC
Description of problem:
It happened during the first update after a clean install of Fedora 25.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.11.7-200.fc25.x86_64
type:           libreport

Comment 111 Coky 2017-07-03 22:28:38 UTC
Description of problem:
Terminal was doing "yum update" (first time, right after fresh Fedora 25 install) and I was browsing web on Firefox.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 112 ph9214 2017-07-04 01:05:16 UTC
Description of problem:
i just got an error :(

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 113 ddssantana89 2017-07-04 15:13:32 UTC
Description of problem:
I was upgrading the system for the first time after installation.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 114 Zhxin 2017-07-09 03:48:08 UTC
Description of problem:
copy text from browser

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 115 Ayush Gupta 2017-07-18 10:16:40 UTC
Description of problem:
After getting a update from dnf install update, installing skype 5.3 beta and while using cpanel over chrome.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 116 Ron Edge 2017-07-30 16:13:25 UTC
Description of problem:
Noted alert after initial install Fed 25 desktop and first run of dnf update.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 117 RAUL ZARADNIK 2017-08-03 14:40:35 UTC
Description of problem:
El problema aparecío tras la instalación de Fedora 25.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 118 alberto 2017-08-16 14:52:01 UTC
Description of problem:
no se

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.11.12-200.fc25.x86_64
type:           libreport

Comment 119 William LaRue 2017-08-31 02:13:41 UTC
Description of problem:
This error notification popped up upon boot  / login.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.12.8-200.fc25.x86_64
type:           libreport

Comment 120 Oliver Jan Krylow 2017-10-05 10:51:02 UTC
Description of problem:
Update from version 25 to 26 via Gnome Software.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

Comment 121 Txe 2017-10-25 19:07:21 UTC
Description of problem:
When mounting a NFS ext. Disk

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.13.5-100.fc25.x86_64
type:           libreport

Comment 122 Txe 2017-10-28 19:59:53 UTC
Description of problem:
just update the system

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.13.8-100.fc25.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.