Description of problem: appears when I start autofs that makes available a Linux nfs4 share: $ cat /etc/auto.zfs /var/cache/dnf -rsize=1048576,wsize=1048576,noatime,nodiratime,soft 192.168.1.1:/srv/zfs/yumcache $ cat /etc/auto.master.d/zfs.autofs /- /etc/auto.zfs --timeout 60 --ghost SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 61882. ***** Plugin bind_ports (92.2 confidence) suggests ************************ If you want to allow rpcbind to bind to network port 61882 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p udp 61882 where PORT_TYPE is one of the following: agentx_port_t, apertus_ldp_port_t, comsat_port_t, dhcpc_port_t, dhcpd_port_t, dns_port_t, efs_port_t, flash_port_t, ftp_port_t, gdomap_port_t, hi_reserved_port_t, inetd_child_port_t, ipmi_port_t, ipp_port_t, kerberos_admin_port_t, kerberos_port_t, kprop_port_t, ktalkd_port_t, ldap_port_t, pki_ca_port_t, pop_port_t, portmap_port_t, printer_port_t, rlogin_port_t, rlogind_port_t, rndc_port_t, router_port_t, rsh_port_t, rsync_port_t, rtsp_port_t, rwho_port_t, smtp_port_t, spamd_port_t, swat_port_t, syslogd_port_t, uucpd_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that rpcbind should be allowed name_bind access on the port 61882 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rpcbind' --raw | audit2allow -M my-rpcbind # semodule -X 300 -i my-rpcbind.pp Additional Information: Source Context system_u:system_r:rpcbind_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 61882 [ udp_socket ] Source rpcbind Source Path rpcbind Port 61882 Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.0.12-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 8 16:58:47 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-12-18 00:51:16 EET Last Seen 2022-12-18 00:51:16 EET Local ID e2680070-1857-421c-8c5f-a854e0606147 Raw Audit Messages type=AVC msg=audit(1671317476.539:877): avc: denied { name_bind } for pid=5257 comm="rpcbind" src=61882 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 Hash: rpcbind,rpcbind_t,unreserved_port_t,udp_socket,name_bind Version-Release number of selected component: selinux-policy-targeted-37.16-1.fc37.noarch Additional info: component: selinux-policy reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.0.12-300.fc37.x86_64 type: libreport Potential duplicate: bug 1563792
*** This bug has been marked as a duplicate of bug 1758147 ***