The first advice from catchall_boolean plugin is correct.

Do: 
# setsebool -P nis_enabled 1

Please let us know if the SELinux denial appears again.

I've realized that when this popped up and I was filing it it was already 4 days old and looking at dnf logs it was after I upgraded Fedora from 30 to 31. It hasn't been reported since that even though I haven't set the value until now.

Because the nis_enabled boolean is by default turned on.

Sorry, my mistake. The boolean is by default turned off.

We see this a lot recently in Cockpit tests[1] on Fedora 30 images.
```
audit: type=1400 audit(1573031093.482:321): avc:  denied  { name_bind } for  pid=7416 comm="rpcbind" src=61302 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
```
I haven't dug deeper when exactly this happens, but if it is needed, please let me know.


[1] example failure: https://209.132.184.41:8493/logs/pull-12971-20191106-084747-86f484cb-cockpit-project-cockpit--fedora-30-firefox/log.html#185

*** Bug 1773430 has been marked as a duplicate of this bug. ***

Similar problem has been detected:

Not sure what caused this

hashmarkername: setroubleshoot
kernel:         5.3.11-300.fc31.x86_64
reason:         SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 62126.
type:           libreport

The advise says:

# setsebool -P nis_enabled 1

But I don't use NIS here.

This was closed without an explanation -- unless "The boolean is by default turned off." was supposed to be that. We still see that countless times [1], on Fedora 31/32/33, this is a default Fedora install without NIS.

[1] https://github.com/cockpit-project/bots/issues/118

On Fedora 33 there is a variant of this now, with "unbound-anchor" instead of "rpcbind":

audit: type=1400 audit(2091398401.751:700): avc:  denied  { name_bind } for  pid=15025 comm="unbound-anchor" src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0

This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Can somebody please update Version: here to 33 or rawhide given comment #9 and comment #10?

Confirmed, this is still very much alive: https://github.com/cockpit-project/bots/issues/118

Regarding the comment#10, the fix is already prepared.
Check the link: https://bugzilla.redhat.com/show_bug.cgi?id=1794531

In other cases, you need to enable the nis_enabled boolean when you are using the rpcbind service, because the port number varies.

(In reply to Richard Fiľo from comment #14)
> 
> In other cases, you need to enable the nis_enabled boolean when you are
> using the rpcbind service, because the port number varies.

So why is this boolean called "nis_enabled" when it has nothing to do with NIS.  I don't run NIS here and I keep getting that recommendation.

Does it need to be renamed to something that doesn't indicate something specific such as NIS?

The nis_enabled boolean contains a lot of rules and in this case it fixes this issue as well.

Steve,

In newer Fedoras rpcbind name-binds to random (unpredictable) ports. I've read through bz#1559324 and the result was the behaviour changed in F29:

commit 2e9c289246c647e25649914bdb0d9400c66f486e (tag: pcbind-0_2_5-rc4)
Author: Steve Dickson <steved>
Date:   Wed Aug 15 10:22:36 2018 -0400

    rpcbind: Disable remote calls by default
    
    Added a new configuration flag --enable-rmtcalls
    which will be needed to enable the remote call
    functionality.
    
    This also stops rpcbind from opening up random
    listening ports.
    
    Signed-off-by: Steve Dickson <steved>

but it seems to be back again.

Does it mean the current rpcbind version requires this access, even without changes to default configuration?

*** Bug 1861372 has been marked as a duplicate of this bug. ***

*** Bug 1889164 has been marked as a duplicate of this bug. ***

*** Bug 1847226 has been marked as a duplicate of this bug. ***

(In reply to Zdenek Pytela from comment #17)
> Steve,
> 
> In newer Fedoras rpcbind name-binds to random (unpredictable) ports. I've
> read through bz#1559324 and the result was the behaviour changed in F29:
> 
> commit 2e9c289246c647e25649914bdb0d9400c66f486e (tag: pcbind-0_2_5-rc4)
> Author: Steve Dickson <steved>
> Date:   Wed Aug 15 10:22:36 2018 -0400
> 
>     rpcbind: Disable remote calls by default
>     
>     Added a new configuration flag --enable-rmtcalls
>     which will be needed to enable the remote call
>     functionality.
>     
>     This also stops rpcbind from opening up random
>     listening ports.
>     
>     Signed-off-by: Steve Dickson <steved>
> 
> but it seems to be back again.
> 
> Does it mean the current rpcbind version requires this access, even without
> changes to default configuration?
Yes... I did turn remote calls (which use that random listening port)
back on by default due to bug 1630672 because it did break NIS and something called Kodia

Maybe there is a better way to enable that listening port??

I did not turn it back on in RHEL so maybe there are doing 
something else in there....

Steve,

Thank you for the clarification. I see 2 options:
- we allow rpcbind name-bind *all* udp ports in selinux-policy
- rpcbind will bind only to ephemeral ports: this is allowed by default to any process (even without turning the nis_enable SELinux boolean on which is off by default)

# sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768    60999

I cannot assess which option is the best for rpcbind regarding usability & security.

(In reply to Zdenek Pytela from comment #22)
> Steve,
> 
> Thank you for the clarification. I see 2 options:
> - we allow rpcbind name-bind *all* udp ports in selinux-policy
> - rpcbind will bind only to ephemeral ports: this is allowed by default to
At this point I believe rpcbind is using ephemeral ports... 
*          
 * Dynamic port range as defined in RFC 6335 Section 6.
 * This range avoids all IANA-assigned service port
 * numbers.
 */
enum {
    LOWPORT     = 49152,
    ENDPORT     = 65534,
    NPORTS      = ENDPORT - LOWPORT + 1,
};  

and the semodule -X 300 -i my-rpcbind.pp is showing port 64657 is
being used. According to 6335 Section 6 the ephemeral port range is
49152-65535

> any process (even without turning the nis_enable SELinux boolean on which is
> off by default)
> 
> # sysctl net.ipv4.ip_local_port_range
> net.ipv4.ip_local_port_range = 32768    60999
How is the range generated?

(In reply to Steve Dickson from comment #23)
> (In reply to Zdenek Pytela from comment #22)
> > Steve,
> > 
> > Thank you for the clarification. I see 2 options:
> > - we allow rpcbind name-bind *all* udp ports in selinux-policy
> > - rpcbind will bind only to ephemeral ports: this is allowed by default to
> At this point I believe rpcbind is using ephemeral ports... 
> *          
>  * Dynamic port range as defined in RFC 6335 Section 6.
>  * This range avoids all IANA-assigned service port
>  * numbers.
>  */
> enum {
>     LOWPORT     = 49152,
>     ENDPORT     = 65534,
>     NPORTS      = ENDPORT - LOWPORT + 1,
> };  
> 
> and the semodule -X 300 -i my-rpcbind.pp is showing port 64657 is
> being used. According to 6335 Section 6 the ephemeral port range is
> 49152-65535
> 
> > any process (even without turning the nis_enable SELinux boolean on which is
> > off by default)
> > 
> > # sysctl net.ipv4.ip_local_port_range
> > net.ipv4.ip_local_port_range = 32768    60999
> How is the range generated?
This is predefined in kernel. As the values are customizable using sysctl, I suppose the range in application should also be retrieved using the kernel function inet_get_local_port_range() or some wrapper.

net/ipv4/af_inet.c
1814 static __net_init int inet_init_net(struct net *net)
1815 {
1816         /*
1817          * Set defaults for local port range
1818          */
1819         seqlock_init(&net->ipv4.ip_local_ports.lock);
1820         net->ipv4.ip_local_ports.range[0] =  32768;
1821         net->ipv4.ip_local_ports.range[1] =  60999;
1822

net/ipv4/inet_connection_sock.c
 124 void inet_get_local_port_range(struct net *net, int *low, int *high)
 125 {
 126         unsigned int seq;
 127
 128         do {
 129                 seq = read_seqbegin(&net->ipv4.ip_local_ports.lock);
 130
 131                 *low = net->ipv4.ip_local_ports.range[0];
 132                 *high = net->ipv4.ip_local_ports.range[1];
 133         } while (read_seqretry(&net->ipv4.ip_local_ports.lock, seq));
 134 }
 135 EXPORT_SYMBOL(inet_get_local_port_range);

Similar problem has been detected:

Unknown, but not running NIS.

hashmarkername: setroubleshoot
kernel:         5.9.16-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-33.fc33.noarch
reason:         SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 61044.
type:           libreport

Similar problem has been detected:

No idea if this should be allowed or not. But reporting anyway.

hashmarkername: setroubleshoot
kernel:         5.10.7-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket porte 62359.
type:           libreport

Similar problem has been detected:

This happens every morning immediately after logon into gnome.

hashmarkername: setroubleshoot
kernel:         5.10.9-201.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-34.fc33.noarch
reason:         SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 62471.
type:           libreport

Same here on F33, not using NIS (but NFS), with:

rpcbind-1.2.5-5.rc1.fc33.3.x86_64
selinux-policy-targeted-3.14.6-34.fc33.noarch

Oops, doozy on my end, please ignore.

Switching the component to rpcbind. IMHO this bug should be fixed with setting the port range to match the values in kernel.

Similar problem has been detected:

This happens at boot:

selinux-policy-3.14.6-35.fc33.noarch
selinux-policy-minimum-3.14.6-35.fc33.noarch
selinux-policy-targeted-3.14.6-35.fc33.noarch
libselinux-3.1-2.fc33.x86_64

hashmarkername: setroubleshoot
kernel:         5.10.23-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-35.fc33.noarch
reason:         SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket porte 63561.
type:           libreport

Similar problem has been detected:

Boot the system and install updates.
2021-06-03T15:55:00+0200 DDEBUG timer: transaction: 14225 ms
2021-06-03T15:55:00+0200 DEBUG Completion plugin: Generating completion cache...
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: cdparanoia-10.2-37.fc33.x86_64
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: cdparanoia-libs-10.2-37.fc33.x86_64
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: libtirpc-1.2.6-4.rc4.fc33.x86_64
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: python3-pillow-7.2.0-6.fc33.x86_64
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: qbittorrent-1:4.3.5-1.fc33.x86_64
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: rb_libtorrent-1.2.13-1.fc33.x86_64
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: rng-tools-6.12-3.fc33.x86_64
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: rpcbind-1.2.6-0.fc33.x86_64
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: tigervnc-license-1.11.0-11.fc33.noarch
2021-06-03T15:55:01+0200 DEBUG Aktualisiert: tigervnc-server-minimal-1.11.0-11.fc33.x86_64
2021-06-03T15:55:01+0200 DEBUG Installiert: rtl-sdr-0.6.0-8.fc33.x86_64
2021-06-03T15:55:01+0200 INFO Fertig.
2021-06-03T15:55:01+0200 DDEBUG Cleaning up.

hashmarkername: setroubleshoot
kernel:         5.12.8-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-37.fc33.noarch
reason:         SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket Port 65483.
type:           libreport

I just saw this on Fedora 33, but not Fedora 34.  Was I just lucky with the port numbers?

"setsebool -P nis_enabled 1" did make it go away with Fedora 33.

It is present on Fedora 34.
Related: bug #1963065
I saw following while testing webrtc in Firefox:


*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that rpcbind should be allowed name_bind access on the port 65007 udp_socket by default.
Then you should report this as a bug.

Additional Information:
Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 65007 [ udp_socket ]
Source                        rpcbind
Source Path                   rpcbind
Port                          65007
SELinux Policy RPM            selinux-policy-targeted-34.14-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.14-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive

Raw Audit Messages
type=AVC msg=audit(1628548964.684:585): avc:  denied  { name_bind } for  pid=15853 comm="rpcbind" src=65007 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1

Hash: rpcbind,rpcbind_t,unreserved_port_t,udp_socket,name_bind

Per the previous comment, can somebody with permission please update the Version: field?  TiA.

*** Bug 2049300 has been marked as a duplicate of this bug. ***

It stopped happening a while ago so, I'm closing this.

This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

We still see this problem on Fedora 36.

Also seeing this bug on Fedora 36.

Using "setsebool -P nis_enabled 1" seems to change the behaviour of nfs but not fix it.

Confirmed on current Fedora 37 as well. E.g. https://cockpit-logs.us-east-1.linodeobjects.com/pull-17690-20220831-093050-40773f60-fedora-37-bots-3801/log.html#171

Just updated to FC36. 
This time I decided to try eliminate it (I can't recall when it first appeared on my system, but very long ago, since some FC2x) and I got to this bug report.
Tried to do 'setsebool -P nis_enabled 1' with the following output:

# setsebool -P nis_enabled 1
libsepol.context_from_record: type stalld_var_run_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:stalld_var_run_t:s0 to sid
invalid context system_u:object_r:stalld_var_run_t:s0
Failed to commit changes to booleans: Success
#

*** Bug 1983604 has been marked as a duplicate of this bug. ***

*** Bug 2154609 has been marked as a duplicate of this bug. ***

Kicking the can down the road... This still happens on Fedora 38.

https://cockpit-logs.us-east-1.linodeobjects.com/pull-4412-20230215-173047-faf4e3ec-fedora-38-cockpit-project-cockpit-machines/log.html#80

Similar problem has been detected:

this happens after mounting an NFS share

hashmarkername: setroubleshoot
kernel:         6.1.12-200.fc37.x86_64
package:        selinux-policy-targeted-37.19-1.fc37.noarch
reason:         SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 61140.
type:           libreport

Similar problem has been detected:

no idea what caused it but it happened during regular dnf update

hashmarkername: setroubleshoot
kernel:         6.1.14-200.fc37.x86_64
package:        selinux-policy-targeted-37.19-1.fc37.noarch
reason:         SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 62152.
type:           libreport

Fedora 38  when NFS Client is started
Similar problem has been detected:

no idea what caused it but it happened during regular dnf update

hashmarkername: setroubleshoot
kernel:         6.1.14-200.fc37.x86_64
package:        selinux-policy-targeted-37.19-1.fc37.noarch
reason:         SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 62152.
type:           libreport

the problem still happens on Rawhide...

rpcbind-1.2.6-4.rc2.fc39.1.x86_64

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.29-1.fc40.noarch
----
time->Tue Oct  3 17:56:11 2023
type=AVC msg=audit(1696370171.456:925): avc:  denied  { name_bind } for  pid=636825 comm="rpcbind" src=63032 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1

*** Bug 2231613 has been marked as a duplicate of this bug. ***

Cockpit's OS bug tracker [1] hasn't seen this in about two months, so this either got fixed, or NFS has stopped trying this operation?

[1] https://github.com/cockpit-project/bots/issues/118

*** Bug 2272391 has been marked as a duplicate of this bug. ***

*** Bug 2273372 has been marked as a duplicate of this bug. ***

This ticket needs Version: updating to 39 as this happened there for me.

Can somebody with permission to do that please do it?

*** Bug 2274603 has been marked as a duplicate of this bug. ***

*** Bug 2291441 has been marked as a duplicate of this bug. ***

And seeing the issue in F-40 as well ...

*** Bug 2294178 has been marked as a duplicate of this bug. ***

This message is a reminder that Fedora Linux 40 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '40'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 40 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Fedora Linux 40 entered end-of-life (EOL) status on 2025-05-13.

Fedora Linux 40 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.

This reappeared in F43 and rawhide: Examples:

    https://artifacts.dev.testing-farm.io/7c15ca3e-1cd0-4014-aaeb-aa45073bfdf3/
    https://artifacts.dev.testing-farm.io/2436d0bf-f71b-49c2-9385-d0f838d3f65c/
    https://artifacts.dev.testing-farm.io/7c15ca3e-1cd0-4014-aaeb-aa45073bfdf3/

*** Bug 2397252 has been marked as a duplicate of this bug. ***

Just seen on f43

Additional Information:
Source Context system_u:system_r:rpcbind_t:s0
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects port 62502 [ udp_socket ]
Source rpcbind
Source Path rpcbind
Port 62502
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-42.14-1.fc43.noarch
Local Policy RPM selinux-policy-targeted-42.14-1.fc43.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Platform Linux fedora 6.17.6-300.fc43.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Oct 29 20:10:51 UTC 2025
x86_64
Alert Count 1
First Seen 2025-11-09 00:34:27 IST
Last Seen 2025-11-09 00:34:27 IST
Local ID 3903ef1d-be20-4b31-aab4-a4ee1dfa238b

Raw Audit Messages
type=AVC msg=audit(1762641267.477:2664): avc: denied { name_bind } for pid=657692 comm="rpcbind" src=62502 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0


Hash: rpcbind,rpcbind_t,unreserved_port_t,udp_socket,name_bind

Even though rpcbind is disable, it's running:

systemctl status rpcbind
● rpcbind.service - RPC Bind
     Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Sun 2025-11-09 00:34:27 IST; 15min ago
 Invocation: e0df33cba8b347fc8d91623110c6aa56
TriggeredBy: ● rpcbind.socket
       Docs: man:rpcbind(8)
   Main PID: 657692 (rpcbind)
      Tasks: 1 (limit: 32793)
     Memory: 1.3M (peak: 3.4M)
        CPU: 47ms
     CGroup: /system.slice/rpcbind.service
             └─657692 /usr/bin/rpcbind -w -f

Nov 09 00:34:27 fedora systemd[1]: Starting rpcbind.service - RPC Bind...
Nov 09 00:34:27 fedora (rpcbind)[657692]: rpcbind.service: Referenced but unset environment variable evaluates to an empty string: RPCBIND_OPTIONS
Nov 09 00:34:27 fedora rpcbind[657692]: rpcbind: svc_tli_create: could not bind to anonymous port
Nov 09 00:34:27 fedora systemd[1]: Started rpcbind.service - RPC Bind.

And the times match - it triggered selinux when started.

(In reply to dani from comment #64)
> Even though rpcbind is disable, it's running:

For me, rpcbind service and socket were triggered when systemd.automount attempted to mount a network share via NFSv3. Explicitly setting the mount to use NFSv4 prevented rpcbind activation; granted NFSv4 could probably still active rpcbind if it cant connect to standard NFS port 2049 or is configured with port=0 per NFS(5).

My selinux block on F43 was specifically about rpcbind attempting to bind udp 63239 with audit logs similar to what's already been shown.

Happened today, on f44 kernel 6.19.14-300.fc44.x86_64

SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 64528.


Additional Information:
Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 64528 [ udp_socket ]
Source                        rpcbind
Source Path                   rpcbind
Port                          64528
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-44.1-1.fc44.noarch
Local Policy RPM              selinux-policy-targeted-44.1-1.fc44.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.19.14-300.fc44.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 23 15:17:50 UTC 2026
                              x86_64
Alert Count                   20
First Seen                    2025-11-09 00:34:27 IST
Last Seen                     2026-05-05 08:12:56 IDT
Local ID                      3903ef1d-be20-4b31-aab4-a4ee1dfa238b

Raw Audit Messages
type=AVC msg=audit(1777957976.315:233): avc:  denied  { name_bind } for  pid=8247 comm="rpcbind" src=64528 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0


Hash: rpcbind,rpcbind_t,unreserved_port_t,udp_socket,name_bind


NIS not installed

journalctl -u rpcbind -b0
May 05 08:12:46 fedora systemd[1]: Starting rpcbind.service - RPC Bind...
May 05 08:12:56 fedora (rpcbind)[8247]: rpcbind.service: Referenced but unset environment variable evaluates to an empty string: RPCBIND_OPTIONS
May 05 08:12:56 fedora rpcbind[8247]: rpcbind: svc_tli_create: could not bind to anonymous port
May 05 08:12:56 fedora systemd[1]: Started rpcbind.service - RPC Bind.

BTW, the service is running even though its disabled

dani@fedora:~$ systemctl status rpcbind
● rpcbind.service - RPC Bind
     Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Tue 2026-05-05 08:12:56 IDT; 8h ago
 Invocation: 4c6c86de43424ce498441f3acfe5e406
TriggeredBy: ● rpcbind.socket
       Docs: man:rpcbind(8)
   Main PID: 8247 (rpcbind)
      Tasks: 1 (limit: 33046)
     Memory: 1.3M (peak: 4M)
        CPU: 96ms
     CGroup: /system.slice/rpcbind.service
             └─8247 /usr/bin/rpcbind -w -f

May 05 08:12:46 fedora systemd[1]: Starting rpcbind.service - RPC Bind...
May 05 08:12:56 fedora (rpcbind)[8247]: rpcbind.service: Referenced but unset environment variable evaluates to an empty string: RPCBIND_OPTIONS
May 05 08:12:56 fedora rpcbind[8247]: rpcbind: svc_tli_create: could not bind to anonymous port
May 05 08:12:56 fedora systemd[1]: Started rpcbind.service - RPC Bind.

*** Bug 2418007 has been marked as a duplicate of this bug. ***

*** Bug 2463724 has been marked as a duplicate of this bug. ***

*** Bug 2453818 has been marked as a duplicate of this bug. ***

*** Bug 2452332 has been marked as a duplicate of this bug. ***

*** Bug 2440225 has been marked as a duplicate of this bug. ***

*** Bug 2479882 has been marked as a duplicate of this bug. ***

*** Bug 2464506 has been marked as a duplicate of this bug. ***

*** Bug 2488342 has been marked as a duplicate of this bug. ***

(In reply to dani from comment #66)
> Happened today, on f44 kernel 6.19.14-300.fc44.x86_64
> 
> SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket
> port 64528.
> 
> 
> Additional Information:
> Source Context                system_u:system_r:rpcbind_t:s0
> Target Context                system_u:object_r:unreserved_port_t:s0
> Target Objects                port 64528 [ udp_socket ]
> Source                        rpcbind
> Source Path                   rpcbind
> Port                          64528
> Host                          (removed)
> Source RPM Packages           
> Target RPM Packages           
> SELinux Policy RPM            selinux-policy-targeted-44.1-1.fc44.noarch
> Local Policy RPM              selinux-policy-targeted-44.1-1.fc44.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     (removed)
> Platform                      Linux (removed) 6.19.14-300.fc44.x86_64 #1 SMP
>                               PREEMPT_DYNAMIC Thu Apr 23 15:17:50 UTC 2026
>                               x86_64
> Alert Count                   20
> First Seen                    2025-11-09 00:34:27 IST
> Last Seen                     2026-05-05 08:12:56 IDT
> Local ID                      3903ef1d-be20-4b31-aab4-a4ee1dfa238b
> 
> Raw Audit Messages
> type=AVC msg=audit(1777957976.315:233): avc:  denied  { name_bind } for 
> pid=8247 comm="rpcbind" src=64528 scontext=system_u:system_r:rpcbind_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket
> permissive=0
> 
> 
> Hash: rpcbind,rpcbind_t,unreserved_port_t,udp_socket,name_bind
> 
> 
> NIS not installed
> 
> journalctl -u rpcbind -b0
> May 05 08:12:46 fedora systemd[1]: Starting rpcbind.service - RPC Bind...
> May 05 08:12:56 fedora (rpcbind)[8247]: rpcbind.service: Referenced but
> unset environment variable evaluates to an empty string: RPCBIND_OPTIONS
> May 05 08:12:56 fedora rpcbind[8247]: rpcbind: svc_tli_create: could not
> bind to anonymous port
> May 05 08:12:56 fedora systemd[1]: Started rpcbind.service - RPC Bind.

I'm not seeing this on f44
f44# journalctl -u rpcbind -b0
Jun 13 18:40:38 dobby-f44.home.dicksonnet.net systemd[1]: Starting rpcbind.service - RPC Bind...
Jun 13 18:40:38 dobby-f44.home.dicksonnet.net (rpcbind)[912]: rpcbind.service: Referenced but un>
Jun 13 18:40:38 dobby-f44.home.dicksonnet.net systemd[1]: Started rpcbind.service - RPC Bind.

(In reply to Steve Dickson from comment #76)
> (In reply to dani from comment #66)
> > Happened today, on f44 kernel 6.19.14-300.fc44.x86_64
> > 
> > SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket
> > port 64528.
> > 
> > 
> > Additional Information:
> > Source Context                system_u:system_r:rpcbind_t:s0
> > Target Context                system_u:object_r:unreserved_port_t:s0
> > Target Objects                port 64528 [ udp_socket ]
> > Source                        rpcbind
> > Source Path                   rpcbind
> > Port                          64528
> > Host                          (removed)
> > Source RPM Packages           
> > Target RPM Packages           
> > SELinux Policy RPM            selinux-policy-targeted-44.1-1.fc44.noarch
> > Local Policy RPM              selinux-policy-targeted-44.1-1.fc44.noarch
> > Selinux Enabled               True
> > Policy Type                   targeted
> > Enforcing Mode                Enforcing
> > Host Name                     (removed)
> > Platform                      Linux (removed) 6.19.14-300.fc44.x86_64 #1 SMP
> >                               PREEMPT_DYNAMIC Thu Apr 23 15:17:50 UTC 2026
> >                               x86_64
> > Alert Count                   20
> > First Seen                    2025-11-09 00:34:27 IST
> > Last Seen                     2026-05-05 08:12:56 IDT
> > Local ID                      3903ef1d-be20-4b31-aab4-a4ee1dfa238b
> > 
> > Raw Audit Messages
> > type=AVC msg=audit(1777957976.315:233): avc:  denied  { name_bind } for 
> > pid=8247 comm="rpcbind" src=64528 scontext=system_u:system_r:rpcbind_t:s0
> > tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket
> > permissive=0
> > 
> > 
> > Hash: rpcbind,rpcbind_t,unreserved_port_t,udp_socket,name_bind
> > 
> > 
> > NIS not installed
> > 
> > journalctl -u rpcbind -b0
> > May 05 08:12:46 fedora systemd[1]: Starting rpcbind.service - RPC Bind...
> > May 05 08:12:56 fedora (rpcbind)[8247]: rpcbind.service: Referenced but
> > unset environment variable evaluates to an empty string: RPCBIND_OPTIONS
> > May 05 08:12:56 fedora rpcbind[8247]: rpcbind: svc_tli_create: could not
> > bind to anonymous port
> > May 05 08:12:56 fedora systemd[1]: Started rpcbind.service - RPC Bind.
> 
> I'm not seeing this on f44
> f44# journalctl -u rpcbind -b0
> Jun 13 18:40:38 dobby-f44.home.dicksonnet.net systemd[1]: Starting
> rpcbind.service - RPC Bind...
> Jun 13 18:40:38 dobby-f44.home.dicksonnet.net (rpcbind)[912]:
> rpcbind.service: Referenced but un>
> Jun 13 18:40:38 dobby-f44.home.dicksonnet.net systemd[1]: Started
> rpcbind.service - RPC Bind.

Mr. Dickson, as the port number is chosen randomly, you'll not get a failure unless it chooses a number outside the range of 32768 through 60999 as outlined in comment 22 from  Zdenek Pytela.  If you restart rpcbind, you'll get a new random number and may see the error.  If not, try again.

Hi Steve, I agree with the reports here - if you start it repeatedly you'll eventually see it:

# while true; do systemctl start rpcbind; sleep 1; journalctl -u rpcbind -b0 | grep "could not bind" | tail -n 1; systemctl stop rpcbind.socket; sleep 1; done | uniq
Jun 21 08:53:37 fedora-xfstests rpcbind[1268249]: rpcbind: svc_tli_create: could not bind to anonymous port
Jun 21 08:54:15 fedora-xfstests rpcbind[1268312]: rpcbind: svc_tli_create: could not bind to anonymous port
Jun 21 08:54:21 fedora-xfstests rpcbind[1268357]: rpcbind: svc_tli_create: could not bind to anonymous port
Jun 21 08:54:23 fedora-xfstests rpcbind[1268372]: rpcbind: svc_tli_create: could not bind to anonymous port
Jun 21 08:54:25 fedora-xfstests rpcbind[1268387]: rpcbind: svc_tli_create: could not bind to anonymous port

This issue is causing lots of noise in automated testing, so it'd be nice to get this resolved after 6 years or so.

As far as I can tell the SELinux policy for rpcbind doesn't allow it to bind to ephemeral ports.

Doing "setsebool -P nis_enabled 1" does allow this, but I don't think that should be necessary; it's a side effect:

# sesearch -A -s rpcbind_t -c udp_socket -p name_bind
allow nsswitch_domain ephemeral_port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain unreserved_port_t:udp_socket name_bind; [ nis_enabled ]:True
allow rpcbind_t portmap_port_t:udp_socket name_bind;
allow rpcbind_t rpc_port_type:udp_socket name_bind;

It looks to me like the selinux policy should be adjusted to allow rpcbind to attach to ephemeral ports, as it allows for many other services:

# sesearch -A -c udp_socket -p name_bind | grep unreserved_port_t | head -n 10
allow antivirus_domain unreserved_port_t:udp_socket name_bind;
allow asterisk_t unreserved_port_t:udp_socket name_bind;
allow bacula_t unreserved_port_t:udp_socket name_bind;
allow callweaver_t unreserved_port_t:udp_socket name_bind;
...

and this should probably be assigned to selinux-policy, not rpcbind, so that it can be evaluated and fixed. Thoughts?

Also, note that setting nis_enabled isn't enough:

# setsebool -P nis_enabled 1
# while true; do systemctl start rpcbind; sleep 1; journalctl -u rpcbind -b0 | grep "could not bind" | tail -n 1; systemctl stop rpcbind.socket; sleep 1; done | uniq
Jun 21 08:54:25 fedora-xfstests rpcbind[1268387]: rpcbind: svc_tli_create: could not bind to anonymous port # leftover
Jun 21 09:31:23 fedora-xfstests rpcbind[1273361]: rpcbind: svc_tli_create: could not bind to anonymous port # new even with nis_enabled set

I think this is because other port ranges in the ephemeral range have explicit selinux labels set which are also denied; see for example https://github.com/fedora-selinux/selinux-policy/issues/761 which highlights traceroute_port_t  (UDP ports 64000-64010). But this also seems like selinux's problem, not rpcbind's.

(last comment sorry) I guess some of this has been discussed before, and selinux folks specifically sent it back to rpcbind suggesting that rpcbind should limit itself to the kernel port range, which might make sense if this rpcbind is linux-specific, I think?

The problem above with overlapping port ranges in policy might still be an selinux policy issue though.

I'm out of my depth here but a little quality time with Claude suggests maybe 2 changes are both needed:

  1. rpcbind/libtirpc: read port range from /proc/sys/net/ipv4/ip_local_port_range and limit to that
  2. selinux-policy: grant rpcbind_t unconditional name_bind on ephemeral_port_t

Regardless, this has been a problem for over 6 years with no resolution and it's constantly popping up for users and in automated test runs. It'd be really nice to get it fixed one way or another.