When emerging packages, the various emerge processes try to open sockets and fail. The parent emerge process started cannot bind to sockets when running in portage_t domain: type=AVC msg=audit(1577610998.054:41): avc: denied { node_bind } for pid=6445 comm="emerge" saddr=::1 scontext=unconfined_u:unconfined_r:portage_t tcontext=system_u:object_r:node_t tclass=udp_socket permissive=1 type=SYSCALL msg=audit(1577610998.054:41): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=7ffccc49d100 a2=1c a3=7f17a9d1256a items=0 ppid=6407 pid=6445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="emerge" exe="/usr/bin/python3.6m" subj=unconfined_u:unconfined_r:portage_t key=(null) When in enforcing mode, emerge also also complains about it: >>> Emerging (1 of 1) app-editors/vim-8.1.1486::gentoo Unable to configure loopback interface: Permission denied The later on started emerge child process runs in portage_sandbox_t domain and cannot connect to a socket file: type=AVC msg=audit(1577611036.546:42): avc: denied { connectto } for pid=18433 comm="x86_64-pc-linux" path="/var/tmp/portage/.portage.6454.net.sock" scontext=unconfined_u:unconfined_r:portage_sandbox_t tcontext=unconfined_u:unconfined_r:portage_t tclass=unix_stream_socket permissive=1 type=PATH msg=audit(1577611036.546:42): item=0 name="/var/tmp/portage/.portage.6454.net.sock" inode=1245198 dev=fd:04 mode=0140700 ouid=250 ogid=250 rdev=00:00 obj=unconfined_u:object_r:portage_tmp_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 The ebuild seems to be successfully built and installed, but not sure if this has any side effects. Reproducible: Always Steps to Reproduce: 1. have SELinux in enforcing mode 2. run emerge to install something 3. find the "unable to configure loopback interface" messages in emerge output 4. find the SELinux deny messages in ausearch
I am having the exact same problem. As thomasb wrote, the ebuild appears to build and install successfully. I'm wondering if this is an error message I can safely ignore.
It'll be related to the network-sandbox. Whether or not this prevents it working effectively or not, I'm not sure. You could write an ebuild which tries to fetch something from the internet in e.g. src_compile and see if it is denied or not, I suspect it will be.