I ran something similar for the upstream report. Okay audit2allow now says: #============= rpcd_t ============== allow rpcd_t nfs_port_t:tcp_socket name_bind; allow rpcd_t nfs_port_t:udp_socket name_bind; allow rpcd_t nfsd_fs_t:dir search; allow rpcd_t nfsd_fs_t:file { open read };
Or the raw log if that's more what you want: type=AVC msg=audit(1692348946.100:70): avc: denied { name_bind } for pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=udp_socket permissive=0 type=SYSCALL msg=audit(1692348946.100:70): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8da00 a2=10 a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup" type=PROCTITLE msg=audit(1692348946.100:70): proctitle="/sbin/rpc.statd" type=AVC msg=audit(1692348946.100:71): avc: denied { name_bind } for pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=tcp_socket permissive=0 type=SYSCALL msg=audit(1692348946.100:71): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8da00 a2=10 a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup" type=PROCTITLE msg=audit(1692348946.100:71): proctitle="/sbin/rpc.statd" type=AVC msg=audit(1692348946.100:72): avc: denied { name_bind } for pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=udp_socket permissive=0 type=SYSCALL msg=audit(1692348946.100:72): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8f080 a2=1c a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup" type=PROCTITLE msg=audit(1692348946.100:72): proctitle="/sbin/rpc.statd" type=AVC msg=audit(1692348946.100:73): avc: denied { name_bind } for pid=687 comm="rpc.statd" src=4001 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:nfs_port_t:s0 tclass=tcp_socket permissive=0 type=SYSCALL msg=audit(1692348946.100:73): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=55ac43c8f080 a2=1c a3=7ffdfc06cff0 items=0 ppid=681 pid=687 auid=4294967295 uid=116 gid=65534 euid=116 suid=116 fsuid=116 egid=65534 sgid=65534 fsgid=65534 tty=(none) ses=4294967295 comm="rpc.statd" exe="/usr/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="statd" GID="nogroup" EUID="statd" SUID="statd" FSUID="statd" EGID="nogroup" SGID="nogroup" FSGID="nogroup" type=PROCTITLE msg=audit(1692348946.100:73): proctitle="/sbin/rpc.statd" type=SERVICE_START msg=audit(1692348946.100:74): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset" type=SERVICE_START msg=audit(1692348946.184:85): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpc-statd-notify comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" undefinedundefined On Thu, 2023-08-24 at 23:47 +1000, Russell Coker wrote: > > This all works fine in permissive mode and there is nothing > > reported by > > audit2allow on the log file. > > Please run "semodule -DB" and then reproduce the problem, the -D > option means > to remove dontaudit rules and the -B option means to rebuild the > policy that > is loaded into the kernel. After that you will get lots of messages > you > previously didn't get and you can grep /var/log/audit/audit.log for > the > relevant ones. >