Isn't there a better way to do this?  Any chance this functionality could be moved to the init script or a separate executable.  We try to limit the amount of processes that can modify the kernel.

This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

I'll be retesting with F11.
It should happen before F9's EOL.

The bug is still there in F11.

When starting radvd without ppp0 existing, radvd prints (twice):

[Jun 28 16:07:06] radvd: ioctl(SIOCGIFADDR) failed for ppp0: No such device
[Jun 28 16:07:06] radvd: interface ppp0 has no IPv4 addresses, disabling 6to4 prefix


And the following shows up in the audit log (also twice):

type=AVC msg=audit(1246223226.836:2573): avc:  denied  { sys_module } for  pid=19423 comm="radvd" capability=16 scontext=unconfined_u:system_r:radvd_t:s0 tcontext=unconfined_u:system_r:radvd_t:s0 tclass=capability

type=SYSCALL msg=audit(1246223226.836:2573): arch=40000003 syscall=54 success=no exit=-19 a0=6 a1=8915 a2=bf8a76fc a3=6 items=0 ppid=19422 pid=19423 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=252 comm="radvd" exe="/usr/sbin/radvd" subj=unconfined_u:system_r:radvd_t:s0 key=(null)


FWIW, the SELinux denial doesn't seem to hurt anything.  When ppp0 comes up, my setup automatically runs /etc/ppp/ip-up.ipv6to4, which picks up "IPV6_CONTROL_RADVD=yes" and makes radvd distribute the new 6to4 prefix fine.

In other words, I'm not in any hurry to allow the sys_module action, whatever it may be trying to do.

Radvd tests an interface defined in the radvd.conf. When the test fails and the modules are not loaded the AVC denial is generated. Radvd doesn't try to load any kernel module.

Radvd is stopped when the interface is not activated independently on AVC denial.

Radvd provides IgnoreIfMissing option that makes possible to continue when interface is not activated. The AVC denial doesn't affect this.

Dan,

then I guess we can dontaudit this.

Yes and I think in F12 it will get the kernel module loaded via a request_module.

Yes, in F12 it will be a request_module instead of a sys_module.

It should be fixed in selinux-policy in rawhide - correct me if I'm wrong. So I'll close it.