Description of problem: SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 62414. ***** Plugin bind_ports (92.2 confidence) suggests ************************ If you want to allow rpcbind to bind to network port 62414 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p udp 62414 where PORT_TYPE is one of the following: agentx_port_t, apertus_ldp_port_t, comsat_port_t, dhcpc_port_t, dhcpd_port_t, dns_port_t, efs_port_t, flash_port_t, ftp_port_t, gdomap_port_t, hi_reserved_port_t, inetd_child_port_t, ipmi_port_t, ipp_port_t, kerberos_admin_port_t, kerberos_port_t, kprop_port_t, ktalkd_port_t, ldap_port_t, pki_ca_port_t, pop_port_t, portmap_port_t, printer_port_t, rlogin_port_t, rlogind_port_t, rndc_port_t, router_port_t, rsh_port_t, rsync_port_t, rtsp_port_t, rwho_port_t, smtp_port_t, spamd_port_t, swat_port_t, syslogd_port_t, uucpd_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow system to run with NIS Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that rpcbind should be allowed name_bind access on the port 62414 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rpcbind' --raw | audit2allow -M my-rpcbind # semodule -X 300 -i my-rpcbind.pp Additional Information: Source Context system_u:system_r:rpcbind_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 62414 [ udp_socket ] Source rpcbind Source Path rpcbind Port 62414 Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.4.9-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Aug 8 21:21:11 UTC 2023 x86_64 Alert Count 7 First Seen 2023-07-13 20:09:15 BST Last Seen 2023-08-12 13:56:37 BST Local ID bc1f52e6-7115-4bc2-be44-0cf1f02f97d2 Raw Audit Messages type=AVC msg=audit(1691844997.968:239): avc: denied { name_bind } for pid=3341 comm="rpcbind" src=62414 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 Hash: rpcbind,rpcbind_t,unreserved_port_t,udp_socket,name_bind Version-Release number of selected component: selinux-policy-targeted-38.24-1.fc38.noarch Additional info: reporter: libreport-2.17.11 reason: SELinux is preventing rpcbind from 'name_bind' accesses on the udp_socket port 62414. package: selinux-policy-targeted-38.24-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.4.9-200.fc38.x86_64 component: selinux-policy
Created attachment 1983128 [details] File: description
Created attachment 1983129 [details] File: os_info
Switching the component. Is is possible to make rpcbind use ephemeral ports along with the kernel configuration? Processes are allowed to bind to ephemeral ports when the port number matches the range for local ports as defined in the net.ipv4.ip_local_port_range kernel tunable, regardless of their SELinux label: # sysctl net.ipv4.ip_local_port_range net.ipv4.ip_local_port_range = 32768 60999