Get selinux SELinux is preventing /usr/libexec/geoclue from name_bind access on the udp_socket port 960

I config the rocky linux 8 as a NIS Client and NFS Client of mounting /home/$USER directories. The NIS works propoerly. The NFS mount directories propoerly and access as normal. But every time I restart the rocky linux 8, I get selinux message about:

SELinux is preventing /usr/libexec/geoclue from name_bind access on the udp_socket port 960.
If you believe that geoclue should be allowed name_bind access on the port 960 udp_socket by default.
You should report this as a bug. You can generate a local policy module to allow this access.

type=AVC msg=audit(1728705440.476:567): avc: denied { name_bind } for pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
type=SYSCALL msg=audit(1728705440.476:567): arch=c000003e syscall=49 success=no exit=-13 a0=b a1=7fa03affbd00 a2=10 a3=7fa03affbd1c items=0 ppid=1 pid=13928 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="pool" exe="/usr/libexec/geoclue" subj=system_u:system_r:geoclue_t:s0 key=(null)

And the port will change after each restart. How to fix this? I do not want to disable selinux for safety reason.

You can install this package:

dnf install policycoreutils-python-utils

and then once installed, use the following commands to see what explanation it gives from parsing /var/log/audit/audit.log

audit2why -a

and:

audit2allow -a

once you’ve seen the results from these, then we can get an idea of what needs to be done next to allow it to bind on that port, etc.

Info about goeclue

rpm -q geoclue2
geoclue2-2.6.0-7.el9.x86_64

it’s a “geo location” service, e.g. you have a weather app and it knows which ciry you are in.

The first question I’d ask is why it’s trying to bind to udf port 960? Maybe there’s a good reason, but selinux is being careful.

I don’ t think this message happens on default install of Rocky 9.4.

Thank you for your help~
After I execute audit2why -a , I got the following output

type=AVC msg=audit(1728668834.710:362): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728668834.711:363): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728669237.231:538): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728669237.232:539): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728704673.392:9310): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728704673.393:9311): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728704750.116:9363): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728704750.117:9364): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728704862.725:9412): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728704862.726:9413): avc:  denied  { name_bind } for  pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728705158.353:350): avc:  denied  { name_bind } for  pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728705158.354:351): avc:  denied  { name_bind } for  pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728705440.476:566): avc:  denied  { name_bind } for  pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728705440.476:567): avc:  denied  { name_bind } for  pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728706596.069:337): avc:  denied  { name_bind } for  pid=15404 comm="pool" src=740 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728706596.070:338): avc:  denied  { name_bind } for  pid=15404 comm="pool" src=740 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728799186.648:25068): avc:  denied  { unlink } for  pid=2494955 comm="systemd-user-ru" name="1393" dev="tmpfs" ino=13547767 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=file permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1728799186.648:25069): avc:  denied  { unlink } for  pid=2494955 comm="systemd-user-ru" name="43" dev="tmpfs" ino=45849 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=file permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

And after I execute audit2allow -a, I got:

#============= geoclue_t ==============
allow geoclue_t hi_reserved_port_t:udp_socket name_bind;

#============= systemd_logind_t ==============
allow systemd_logind_t session_dbusd_tmp_t:file unlink;

Is there any problem with the geoclue or the rpb bind?
Looking for your reply.
Best wishes

Thank you for your reply~
In my system, I use rocky linux 8.10, and my info about goeclue is:

geoclue2-2.5.5-2.el8.x86_64

This problem happens after I setting NFS Client to mount home directory of each users, and somtimes happend after I mount other NFS directorys. I use NIS to implement the auth.
Is there any information you need to help me solve this problem?
Looking forward to your kindly reply.
Best wishes

Normally if audit2why says about generating a loadable module, when we use audit2allow it should also give commands on how to generate that module. However, your audit2allow output doesn’t show that, so I don’t know if you didn’t copy all the information from the output, or it’s not showing it for some reason.

I am sure that this is the all output information. Could you help me to find the reason why it’s not showing the commands on how to generate that module?

You can try this:

grep geoclue /var/log/audit/audit.log | audit2allow -M geoclue
semodule -i geoclue.pp

There are, by default, some events that are not logged. The “dontaudit” events.
See man semanage-dontaudit and Chapter 5. Troubleshooting problems related to SELinux | Red Hat Product Documentation

Alas, if your denied accesses were such, then audit2why could not list them, since they would not be in the log.

Thank your for your kindly reply~

When I execute grep geoclue /var/log/audit/audit.log | audit2allow -M geoclue, I got

[root@thehost ~]# grep geoclue /var/log/audit/audit.log | audit2allow -M geoclue
Nothing to do

Is this correct?
Best Regards

Looks like there is no violation to fix, it was just something to try to see. Obviously that will be why the audit2allow results didn’t suggest anything.

Therefore it doesn’t look like selinux is the problem here.

Thank you for your reply~
After I set dontaudit, I got many selinux messages about the name bind:


Is there any help?