Description of problem: I already have net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf SELinux is preventing unbound-anchor from 'module_request' accesses on the system Unknown. ***** Plugin disable_ipv6 (53.1 confidence) suggests ********************** If you want to disable IPV6 on this machine Then you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module' Do add net.ipv6.conf.all.disable_ipv6 = 1 to /etc/sysctl.conf ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow domain to kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. You can read 'None' man page for more details. Do setsebool -P domain_kernel_load_modules 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If you believe that unbound-anchor should be allowed module_request access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep unbound-anchor /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source unbound-anchor Source Path unbound-anchor Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.13.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.0.5-200.fc21.x86_64 #1 SMP Mon Jun 8 16:25:02 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-06-15 09:35:45 PDT Last Seen 2015-06-15 09:35:45 PDT Local ID 2a0fba7e-5d3a-48eb-9800-26dccda3f73a Raw Audit Messages type=AVC msg=audit(1434386145.479:906): avc: denied { module_request } for pid=22470 comm="unbound-anchor" kmod="net-pf-10" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 Hash: unbound-anchor,named_t,kernel_t,system,module_request Version-Release number of selected component: selinux-policy-3.13.1-105.13.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 4.0.5-200.fc21.x86_64 type: libreport
***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow domain to kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. You can read 'None' man page for more details. Do setsebool -P domain_kernel_load_modules 1
(In reply to Lukas Vrabec from comment #1) > ***** Plugin catchall_boolean (42.6 confidence) suggests > ****************** > > If you want to allow domain to kernel load modules > Then you must tell SELinux about this by enabling the > 'domain_kernel_load_modules' boolean. > You can read 'None' man page for more details. > Do > setsebool -P domain_kernel_load_modules 1 Doing that would reduce the security provided by SELinux. The real bug here is that unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf You can reproduce this by putting "ipv6.disable=1" in the grub start up config. Sorry but I just don't trust IPV6 right now. :)
*** Bug 1251763 has been marked as a duplicate of this bug. ***
Moez, I think this also needs to be disabled within the application. Does setting 'do-ip6: no' in unbound.conf clear the messages? 173 # Enable IPv6, "yes" or "no". 174 # do-ip6: yes
(In reply to Simon Sekidde from comment #4) > Moez, > > I think this also needs to be disabled within the application. Does setting > 'do-ip6: no' in unbound.conf clear the messages? > > 173 # Enable IPv6, "yes" or "no". > 174 # do-ip6: yes I changed the /etc/unbound/unbound.conf to: # Enable IPv6, "yes" or "no". do-ip6: no And then I did: service unbound start and SElinux still popped up: Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source unbound-anchor Source Path unbound-anchor Port <Unknown> Host j Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.21.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name j Platform Linux j 4.1.10-100.fc21.x86_64 #1 SMP Mon Oct 5 14:21:25 UTC 2015 x86_64 x86_64 Alert Count 25 First Seen 2015-11-05 10:49:09 PST Last Seen 2015-11-05 10:49:09 PST Local ID ed7502a2-234f-4a0c-9518-9b6377d6b82e Raw Audit Messages type=AVC msg=audit(1446749349.340:606): avc: denied { module_request } for pid=3568 comm="unbound-anchor" kmod="net-pf-10" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 Hash: unbound-anchor,named_t,kernel_t,system,module_request
A little research says: test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready" There should be no output if IPv6 is disabled. Source: https://askubuntu.com/questions/309461/how-to-disable-ipv6-permanently Maybe unbound & dnssec-trigger can use this way to test whether to use ipv6 or not? Same with SElinux it can ignore the AVCs (as it is doing its job properly) using the above test method?
Unbound uses standard system socket API and checks for failures. If the IPv6 is not available, the call should fail and Unbound can cope with it. This has been discussed in upstream and nobody thinks that Unbound nor any other tool should read the system configuration files or paths and make decisions whether to use IPv6 or not, based on this. If you are not happy with kernel loading the module, please work with the Kernel maintainers on resolving the fact that kernel tries to load IPv6 module even though you've disabled it. If you are not happy with the SELinux, please work with the SELinux developer. There is nothing to change or improve from Unbound's or dnssec-trigger's point of view. *** This bug has been marked as a duplicate of bug 641836 ***