Bug 2394936 - Selinux reports permissive nfs related blockings
Summary: Selinux reports permissive nfs related blockings
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 42
Hardware: Unspecified
OS: Unspecified
low
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-13 06:05 UTC by Marek Greško
Modified: 2025-10-10 00:50 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-42.12-1.fc42
Clone Of:
Environment:
Last Closed: 2025-10-10 00:50:49 UTC
Type: Bug
Embargoed:
zpytela: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2872 0 None open Allow nfs generator create and use netlink and udp sockets 2025-09-15 07:32:45 UTC
Red Hat Issue Tracker FC-2245 0 None None None 2025-09-15 07:35:44 UTC

Description Marek Greško 2025-09-13 06:05:13 UTC 
Description of problem:

There are various logs with nfs related blockings:

AVC avc:  denied  { create } for  pid=179463 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=netlink_route_socket permissive=1
AVC avc:  denied  { bind } for  pid=179463 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=netlink_route_socket permissive=1
AVC avc:  denied  { getattr } for  pid=179463 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=netlink_route_socket permissive=1
AVC avc:  denied  { nlmsg_read } for  pid=179463 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=netlink_route_socket permissive=1
AVC avc:  denied  { create } for  pid=179463 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=udp_socket permissive=1
AVC avc:  denied  { connect } for  pid=179463 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=udp_socket permissive=1
AVC avc:  denied  { getattr } for  pid=179463 comm="nfs-server-gene" laddr=serveripv4address lport=36023 faddr=clientipv4address scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=udp_socket permissive=1
AVC avc:  denied  { create } for  pid=179767 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=netlink_route_socket permissive=1
AVC avc:  denied  { bind } for  pid=179767 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=netlink_route_socket permissive=1
AVC avc:  denied  { getattr } for  pid=179767 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=netlink_route_socket permissive=1
AVC avc:  denied  { nlmsg_read } for  pid=179767 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=netlink_route_socket permissive=1
AVC avc:  denied  { getattr } for  pid=179767 comm="nfs-server-gene" laddr=serveripv6address lport=60487 faddr=clientipv6address scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=udp_socket permissive=1
AVC avc:  denied  { connect } for  pid=179767 comm="nfs-server-gene" laddr=serveripv6address lport=60487 faddr=clientipv6address scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=udp_socket permissive=1
AVC avc:  denied  { create } for  pid=179767 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=udp_socket permissive=1
type=1400 audit(1757654984.817:4): avc:  denied  { create } for  pid=1078 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=udp_socket permissive=1
type=1400 audit(1757654984.817:5): avc:  denied  { setopt } for  pid=1078 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=udp_socket permissive=1
type=1400 audit(1757654984.817:6): avc:  denied  { connect } for  pid=1078 comm="nfs-server-gene" scontext=system_u:system_r:systemd_nfs_generator_t:s0 tcontext=system_u:system_r:systemd_nfs_generator_t:s0 tclass=udp_socket permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-targeted-42.8-1.fc42.noarch
Comment 1 Fedora Update System 2025-10-05 19:50:01 UTC 
FEDORA-2025-586ab05666 (selinux-policy-42.12-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-586ab05666
Comment 2 Fedora Update System 2025-10-06 01:51:56 UTC 
FEDORA-2025-586ab05666 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-586ab05666`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-586ab05666

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2025-10-10 00:50:49 UTC 
FEDORA-2025-586ab05666 (selinux-policy-42.12-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.