Package: selinux-policy-default Version: 2:2.20221101-10 Severity: important
Dear Maintainer, When I fix the NFS ports to allow firewalling of NFS Services SELinux prevents rpc.statd or rpc.mountd starting. Aug 15 12:31:34 deb12 rpc.statd[811]: Version 2.6.2 starting Aug 15 12:31:34 deb12 rpc.statd[811]: Flags: TI-RPC Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied Aug 15 12:31:34 deb12 rpc.statd[811]: Could not bind socket: (13) Permission denied Aug 15 12:31:34 deb12 rpc.statd[811]: failed to create RPC listeners, exiting . . Aug 15 12:31:34 deb12 systemd[1]: rpc-statd.service: Control process exited, code=exited, status=1/FAILURE Aug 15 12:31:23 deb12 systemd[1]: Mounted run-rpc_pipefs.mount - RPC Pipe File System. Aug 15 12:31:24 deb12 systemd[1]: Starting nfs-mountd.service - NFS Mount Daemon... Aug 15 12:31:24 deb12 rpc.mountd[758]: Could not bind socket: (13) Permission denied Aug 15 12:31:24 deb12 rpc.mountd[758]: Could not bind socket: (13) Permission denied . Aug 15 12:31:24 deb12 rpc.mountd[758]: mountd: No V2 or V3 listeners created! Aug 15 12:31:24 deb12 rpc.mountd[760]: Version 2.6.2 starting Aug 15 12:31:24 deb12 systemd[1]: Started nfs-mountd.service - NFS Mount Daemon. I get a bit further if I set these ports in nfs_port_t: semanage port -l | grep nfs nfs_port_t tcp 4003, 4002, 4001, 2049 nfs_port_t udp 4003, 4002, 4001, 2049 And I have applied: setsebool -P nfs_export_all_rw 1 I now get mountd to start but statd is still failing.. Aug 15 16:29:33 deb12 rpc.statd[695]: Could not bind socket: (13) Permission denied Also opened this upstream but not sure if an upstream issue, that was probably the wrong thing to do: https://github.com/SELinuxProject/refpolicy/issues/629 This all works fine in permissive mode and there is nothing reported by audit2allow on the log file. Thanks Colin Simpson -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-10-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Enforcing - Policy name: default Versions of packages selinux-policy-default depends on: ii libselinux1 3.4-1+b6 ii libsemanage2 3.4-1+b5 ii libsepol2 3.4-2.1 ii policycoreutils 3.4-1 ii selinux-utils 3.4-1+b6 Versions of packages selinux-policy-default recommends: ii checkpolicy 3.4-1+b2 ii setools 4.4.1-2 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information