I config the rocky linux 8 as a NIS Client and NFS Client of mounting /home/$USER directories. The NIS works propoerly. The NFS mount directories propoerly and access as normal. But every time I restart the rocky linux 8, I get selinux message about:
SELinux is preventing /usr/libexec/geoclue from name_bind access on the udp_socket port 960.
If you believe that geoclue should be allowed name_bind access on the port 960 udp_socket by default.
You should report this as a bug. You can generate a local policy module to allow this access.
type=AVC msg=audit(1728705440.476:567): avc: denied { name_bind } for pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
type=SYSCALL msg=audit(1728705440.476:567): arch=c000003e syscall=49 success=no exit=-13 a0=b a1=7fa03affbd00 a2=10 a3=7fa03affbd1c items=0 ppid=1 pid=13928 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="pool" exe="/usr/libexec/geoclue" subj=system_u:system_r:geoclue_t:s0 key=(null)
And the port will change after each restart. How to fix this? I do not want to disable selinux for safety reason.
Thank you for your help~
After I execute audit2why -a , I got the following output
type=AVC msg=audit(1728668834.710:362): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728668834.711:363): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728669237.231:538): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728669237.232:539): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728704673.392:9310): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728704673.393:9311): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728704750.116:9363): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728704750.117:9364): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728704862.725:9412): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728704862.726:9413): avc: denied { name_bind } for pid=14397 comm="pool" src=1005 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728705158.353:350): avc: denied { name_bind } for pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728705158.354:351): avc: denied { name_bind } for pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728705440.476:566): avc: denied { name_bind } for pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728705440.476:567): avc: denied { name_bind } for pid=13928 comm="pool" src=960 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728706596.069:337): avc: denied { name_bind } for pid=15404 comm="pool" src=740 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728706596.070:338): avc: denied { name_bind } for pid=15404 comm="pool" src=740 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728799186.648:25068): avc: denied { unlink } for pid=2494955 comm="systemd-user-ru" name="1393" dev="tmpfs" ino=13547767 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1728799186.648:25069): avc: denied { unlink } for pid=2494955 comm="systemd-user-ru" name="43" dev="tmpfs" ino=45849 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Thank you for your reply~
In my system, I use rocky linux 8.10, and my info about goeclue is:
geoclue2-2.5.5-2.el8.x86_64
This problem happens after I setting NFS Client to mount home directory of each users, and somtimes happend after I mount other NFS directorys. I use NIS to implement the auth.
Is there any information you need to help me solve this problem?
Looking forward to your kindly reply.
Best wishes
Normally if audit2why says about generating a loadable module, when we use audit2allow it should also give commands on how to generate that module. However, your audit2allow output doesn’t show that, so I don’t know if you didn’t copy all the information from the output, or it’s not showing it for some reason.
I am sure that this is the all output information. Could you help me to find the reason why it’s not showing the commands on how to generate that module?
Looks like there is no violation to fix, it was just something to try to see. Obviously that will be why the audit2allow results didn’t suggest anything.
Therefore it doesn’t look like selinux is the problem here.