Description of problem: rpcbind.socket cannot start because /usr/bin/rpcbind has wrong SELinux label and unable to create socket /run/rpcbind.sock. In 0.2.4 rpcbind binary has moved to /usr/bin from /usr/sbin; the SELinux label is set wrongly Version-Release number of selected component (if applicable): rpcbind.x86_64 0.2.4-0.fc25 How reproducible: Always Steps to Reproduce: 1. Upgrade to 0.2.4-0.fc25 2. 3. Actual results: rpcbind.socket: Failed to listen on sockets: Permission denied Failed to listen on RPCbind Server Activation Socket. Expected results: Listening on RPCbind Server Activation Socket. Additional info: # ls -Z /usr/bin/rpcbind system_u:object_r:bin_t:s0 /usr/bin/rpcbind Downgrade to rpcbind-0.2.3-11.rc1.fc25 # ls -Z /usr/sbin/rpcbind system_u:object_r:rpcbind_exec_t:s0 /usr/sbin/rpcbind
Manual fix: 1. Upgrade to rpcbind.x86_64 0.2.4-0.fc25 2. Observe audit2allow -al: #============= init_t ============== allow init_t unconfined_service_t:unix_stream_socket create; 3. Fix label chcon -t rpcbind_exec_t /usr/bin/rpcbind 4. systemctl restart rpcbind.socket Listening on RPCbind Server Activation Socket.
Been seeing what looks like the same thing on our openQA boxes (recently updated to F25) and in some openQA tests.
So the binary moved from /usr/sbin to /usr/bin ; selinux-policy needs updating to apply the correct label to it now. In fact this has just a few hours ago been done: https://github.com/fedora-selinux/selinux-policy/commit/a1f5dc42371849a2ab33ea0397c9e68c66c17afc we just need package builds for Rawhide and F25.
This may be a duplicate of bug 1402083
Yes, they probably are the same. *** This bug has been marked as a duplicate of bug 1402083 ***