I emerged net-nds/portmap-5b-r9 (sec-policy/selinux-portmap-20050908 is a DEPEND), and started portmap by the init.d script. However I am unable to mount NFS filesystems. Oct 17 12:39:26 dynamo audit(1129567166.048:821): avc: denied { udp_send } for pid=18959 comm="mount" saddr=127.0.0.1 src=800 daddr=127.0.0.1 dest=111 netif=lo scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:netif_lo_t tclass=netif Oct 17 12:39:26 dynamo audit(1129567166.084:822): avc: denied { udp_send } for pid=18959 comm="mount" saddr=128.192.xxx.client src=800 daddr=128.192.xxx.server dest=2049 netif=eth0 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:netif_eth0_t tclass=netif It appears to at first try to contact the portmap daemon, then failing that, trying to contact the NFS server directly. Similar results for trying to use TCP (i.e. mount -o proto=tcp): Oct 17 12:54:19 dynamo audit(1129568059.300:841): avc: denied { udp_send } for pid=19077 comm="mount" saddr=127.0.0.1 src=800 daddr=127.0.0.1 dest=111 netif=lo scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:netif_lo_t tclass=netif Oct 17 12:54:19 dynamo audit(1129568059.336:842): avc: denied { send_msg } for pid=7 comm="events/1" saddr=128.192.xxx.client src=800 daddr=128.192.xxx.server dest=2049 netif=eth0 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:port_t tclass=tcp_socket except in this case, it takes a long time to timeout (typical NFS/TCP timeout cycle). Reproducible: Always Steps to Reproduce: 1. emerge portmap 2. /etc/init.d/portmap start 3. mount <some NFS filesystem> Actual Results: mount: permission denied Expected Results: It should have mounted the filesystem. Portage 2.0.51.22-r3 (selinux/2005.1/x86/hardened, gcc-3.3.6, glibc-2.3.5-r2, 2.6.13-gentoo-r3 i686)================================================================= System uname: 2.6.13-gentoo-r3 i686 Pentium III (Coppermine) Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mcpu=i686 -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-mcpu=i686 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks loadpolicy sandbox selinux sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://gentoo.terry.uga.edu/gentoo-portage" USE="berkdb crypt dlloader hardened ldap libwww mysql ncurses nls pam perl pic python readline samba selinux ssl x86 zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY [ Searching for package 'selinux' in all categories among: ] * installed packages [I--] [ ] sec-policy/selinux-base-policy-20050821 (0) [I--] [ ] sec-policy/selinux-sudo-20050716 (0) [I--] [ ] sec-policy/selinux-apache-20050211 (0) [I--] [ ] sec-policy/selinux-mysql-20050605 (0) [I--] [ ] sec-policy/selinux-portmap-20050908 (0)
you need selinux-nfs for nfs. Its not currently a rdep of nfs-utils, but thats a separate issue.
Confirming that selinux-nfs + nfs-utils fixes the problem.