Bug 1231946
Summary: | unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Moez Roy <moez.roy> |
Component: | unbound | Assignee: | Tomáš Hozza <thozza> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 23 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, moez.roy, pj.pandit, plautrba, psimerda, pwouters, ssekidde, thozza |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:e9b933391780ee166db5a04551940ab77730d4ffb0ff878a7ba741d5877c5a91 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-12 15:10:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 883152 |
Description
Moez Roy
2015-06-15 16:39:07 UTC
***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow domain to kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. You can read 'None' man page for more details. Do setsebool -P domain_kernel_load_modules 1 (In reply to Lukas Vrabec from comment #1) > ***** Plugin catchall_boolean (42.6 confidence) suggests > ****************** > > If you want to allow domain to kernel load modules > Then you must tell SELinux about this by enabling the > 'domain_kernel_load_modules' boolean. > You can read 'None' man page for more details. > Do > setsebool -P domain_kernel_load_modules 1 Doing that would reduce the security provided by SELinux. The real bug here is that unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf You can reproduce this by putting "ipv6.disable=1" in the grub start up config. Sorry but I just don't trust IPV6 right now. :) *** Bug 1251763 has been marked as a duplicate of this bug. *** Moez, I think this also needs to be disabled within the application. Does setting 'do-ip6: no' in unbound.conf clear the messages? 173 # Enable IPv6, "yes" or "no". 174 # do-ip6: yes (In reply to Simon Sekidde from comment #4) > Moez, > > I think this also needs to be disabled within the application. Does setting > 'do-ip6: no' in unbound.conf clear the messages? > > 173 # Enable IPv6, "yes" or "no". > 174 # do-ip6: yes I changed the /etc/unbound/unbound.conf to: # Enable IPv6, "yes" or "no". do-ip6: no And then I did: service unbound start and SElinux still popped up: Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source unbound-anchor Source Path unbound-anchor Port <Unknown> Host j Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.21.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name j Platform Linux j 4.1.10-100.fc21.x86_64 #1 SMP Mon Oct 5 14:21:25 UTC 2015 x86_64 x86_64 Alert Count 25 First Seen 2015-11-05 10:49:09 PST Last Seen 2015-11-05 10:49:09 PST Local ID ed7502a2-234f-4a0c-9518-9b6377d6b82e Raw Audit Messages type=AVC msg=audit(1446749349.340:606): avc: denied { module_request } for pid=3568 comm="unbound-anchor" kmod="net-pf-10" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 Hash: unbound-anchor,named_t,kernel_t,system,module_request A little research says: test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready" There should be no output if IPv6 is disabled. Source: https://askubuntu.com/questions/309461/how-to-disable-ipv6-permanently Maybe unbound & dnssec-trigger can use this way to test whether to use ipv6 or not? Same with SElinux it can ignore the AVCs (as it is doing its job properly) using the above test method? Unbound uses standard system socket API and checks for failures. If the IPv6 is not available, the call should fail and Unbound can cope with it. This has been discussed in upstream and nobody thinks that Unbound nor any other tool should read the system configuration files or paths and make decisions whether to use IPv6 or not, based on this. If you are not happy with kernel loading the module, please work with the Kernel maintainers on resolving the fact that kernel tries to load IPv6 module even though you've disabled it. If you are not happy with the SELinux, please work with the SELinux developer. There is nothing to change or improve from Unbound's or dnssec-trigger's point of view. *** This bug has been marked as a duplicate of bug 641836 *** |