Description of problem: conntrackd fail with the following message: juin 22 11:56:01 mune.rht.gluster.org conntrackd[13481]: ERROR: conntrackd cannot start, please check the logfile for more info in turn the error in the log is [Fri Jun 22 11:56:01 2018] (pid=13481) [ERROR] can't open channel socket [Fri Jun 22 11:56:01 2018] (pid=13481) [ERROR] initialization failed Looking in audit.log, this is the AVC (after using semodule -DB to show the message) : type=AVC msg=audit(1529668337.138:407604): avc: denied { net_admin } for pid=13445 comm="conntrackd" capability=12 scontext=system_u:system_r:conntrackd_t:s0 tcontext=system_u:system_r:conntrackd_t:s0 tclass=capability permissive=1 # grep 1529668337.138 /var/log/audit/audit.log |audit2allow - #============= conntrackd_t ============== allow conntrackd_t self:capability net_admin; Adding that capability make it work. here is a patch for that on https://github.com/fedora-selinux/selinux-policy-contrib/pull/61 but ideally, it should be backported on F28 too. Version-Release number of selected component (if applicable): How reproducible: each time Steps to Reproduce: 1. install conntrackd and configure it using unicast 2. restart it 3. Actual results: the service seems to start fine, but later fail Expected results: the service start and survive Additional info:
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.