Description of problem: SELinux is preventing dnssec-triggerd from 'module_request' accesses on the system Unknown. ***** Plugin disable_ipv6 (53.1 confidence) suggests ********************** If you want to disable IPV6 on this machine Then you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module' Do add net.ipv6.conf.all.disable_ipv6 = 1 to /etc/sysctl.conf ***** Plugin catchall_boolean (42.6 confidence) suggests ****************** If you want to allow domain to kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. You can read 'None' man page for more details. Do setsebool -P domain_kernel_load_modules 1 ***** Plugin catchall (5.76 confidence) suggests ************************** If you believe that dnssec-triggerd should be allowed module_request access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep dnssec-triggerd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dnssec_trigger_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source dnssec-triggerd Source Path dnssec-triggerd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.20.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.4-100.fc21.x86_64 #1 SMP Tue Aug 4 03:25:05 UTC 2015 x86_64 x86_64 Alert Count 8 First Seen 2015-08-09 11:24:45 PDT Last Seen 2015-08-09 11:25:06 PDT Local ID dc8c860e-dc89-47c3-9002-95203200e324 Raw Audit Messages type=AVC msg=audit(1439144706.312:424): avc: denied { module_request } for pid=1201 comm="dnssec-triggerd" kmod="net-pf-10" scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 Hash: dnssec-triggerd,dnssec_trigger_t,kernel_t,system,module_request Version-Release number of selected component: selinux-policy-3.13.1-105.20.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 4.1.4-100.fc21.x86_64 type: libreport
dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf You can reproduce this by putting "ipv6.disable=1" in the kernel command line. Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the security provided by SELinux so it is not an option. Would appreciate a fix. Thanks.
Dnssec-trigger uses standard system socket API and checks for failures. If the IPv6 is not available, the call should fail and dnssec-trigger can cope with it. This has been discussed in upstream and nobody thinks that Unbound, dnssec-trigger, nor any other tool should read the system configuration files or paths and make decisions whether to use IPv6 or not, based on this. If you are not happy with kernel loading the module, please work with the Kernel maintainers on resolving the fact that kernel tries to load IPv6 module even though you've disabled it. If you are not happy with the SELinux, please work with the SELinux developer. There is nothing to change or improve from Unbound's or dnssec-trigger's point of view. *** This bug has been marked as a duplicate of bug 641836 ***