I disabled ipv6 using: # cat /etc/modprobe.d/ipv6.conf install ipv6 /bin/true and now I get avcs: type=AVC msg=audit(1286786023.063:10): avc: denied { module_request } for pid=1283 comm="named" kmod="net-pf-10" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=AVC msg=audit(1286786024.507:12): avc: denied { module_request } for pid=1440 comm="sshd" kmod="net-pf-10" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=AVC msg=audit(1286786024.521:13): avc: denied { module_request } for pid=1441 comm="sshd" kmod="net-pf-10" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=AVC msg=audit(1286786024.581:14): avc: denied { module_request } for pid=1473 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=AVC msg=audit(1286786024.689:15): avc: denied { module_request } for pid=1484 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=AVC msg=audit(1286786025.995:16): avc: denied { module_request } for pid=1614 comm="rndc" kmod="net-pf-10" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=AVC msg=audit(1286786026.125:17): avc: denied { module_request } for pid=1474 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=AVC msg=audit(1286786026.131:18): avc: denied { module_request } for pid=1485 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=AVC msg=audit(1286786026.163:19): avc: denied { module_request } for pid=1709 comm="rndc" kmod="net-pf-10" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=AVC msg=audit(1286786026.263:20): avc: denied { module_request } for pid=1739 comm="rndc" kmod="net-pf-10" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
Sadly there is not much we can do about this. Are you seeing these as alerts? They should be being blocked. You can turn on the boolean domain_kernel_load_modules Which will allow all confined domains to request the kernel load a module. Turning off ipv6 causes ever app that is ipv6 aware to ask the kernel to load the ipv6 module.
Thanks for the response, helpful as ever. The reason I am reporting this, is that I will see this problem in RHEL6 when I push for selinux, and I don't want this to be one of those "death by a thousand paper cuts" momemnts. I am seeing these as alerts. Every time I login. Web browsing with Fedora 14 with a local dns server is really slow unless I disable ipv6. Is it worth reporting a bug against bind? What should I do? I suppose the real problem is that the config option to disable ipv6 isn't really useful.
#setsebool -P domain_kernel_load_modules 1 Will eliminate the messages. I would open a bug report against bind, to see what is going on.
(the bind problem turned out to be spurious) (In reply to comment #3) > #setsebool -P domain_kernel_load_modules 1 > > Will eliminate the messages. Does this make sense though? I'd like to know when something is trying to load a kernel module, but I'd like ipv6 disabled. There seems to be some overlap (maybe a lot of overlap) here.
*** Bug 669047 has been marked as a duplicate of this bug. ***
(In reply to comment #4) > (the bind problem turned out to be spurious) > > (In reply to comment #3) > > #setsebool -P domain_kernel_load_modules 1 > > > > Will eliminate the messages. > > Does this make sense though? I'd like to know when something is trying to load > a kernel module, but I'd like ipv6 disabled. There seems to be some overlap > (maybe a lot of overlap) here. Disabling IPv6 on RHEL/Fedora (which I don't advise) has always been a bit voodoo. The initscripts options don't really work because autoconfig happens in the kernel. Rather than disabling the kernel module (which will try to be loaded every time an app opens a dual-mode AF_INET6 socket, as you are seeing), you might try this in /etc/sysctl.conf: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 This *should* prevent all network interfaces enabling IPv6, and also stop bind doing lookups over IPv6. Another option is to add this to /etc/sysconfig/named: OPTIONS="-4" However, you might also want to investigate why IPv6 is timeing out - if bind is doing IPv6 lookups then your machine must think it has a valid IPv6 address, and on June 8th you're going to have problems with a lot more than slow DNS (June 8th 2011 is "IPv6 day" when major content providers are going to add AAAA records onto their services for a 24 hour "shakedown" period).
the sysctl's only exist if the ipv6 module has been loaded. So it's not an exact workarond....
*** Bug 696256 has been marked as a duplicate of this bug. ***
Shouldn't it be so that either: Fedora/RHEL supports on-demand loading of ipv6, and SE should thus by default somehow permit "all" processes to load this particular module. or: Fedora/RHEL doesn't support on-demand loading of ipv6 and the kernel should somehow be compiled/configured to not try to do that. The boot "scripts" (or systemd) should make sure to load the module before it is used ... if it is used and not disabled. But what we _really_ need is an official way to disable ipv6 that doesn't show this problem. I don't think it is within scope for Fedora/RHEL to fix or work around all the unfortunate but valid reasons there might be for disabling ipv6.
*** Bug 696371 has been marked as a duplicate of this bug. ***
*** Bug 703733 has been marked as a duplicate of this bug. ***
I know this bug is closed, but even with ipv6 disabled, selinux is reporting errors for sshd and postfix about not being able to load the modules.
Are you getting setroubleshoot messages on this? If so, how are you disabling ipv6? We have tried to make setroubleshoot ignore these avc's if it can figure out you disabled ipv6.
I disabled ipv6 using 3 different methonds and only one did prevent the ipv6 module from being loaded and is adding "install ipv6 /bin/true" to /etc/modprobe.d/disable-ipv6.conf ... Am I doing something wrong?
I believe the networking kernel community recommends (and it will shut up these AVCs) that IPv6 be disabled by: echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 It still loads the module but unhooks almost all of the calls into the module. (apparently the IPv6 module has become so ingrained in the kernel that a number of other things, like certain firewall modules, require it. I didn't design it, I'm just telling it how it is)
*** Bug 722751 has been marked as a duplicate of this bug. ***
Eric Paris reports " I believe the networking kernel community recommends (and it will shut up these AVCs) that IPv6 be disabled by: echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 It still loads the module but unhooks almost all of the calls into the module. (apparently the IPv6 module has become so ingrained in the kernel that a number of other things, like certain firewall modules, require it. I didn't design it, I'm just telling it how it is) " We recommend that you do not disable the ipv6 module but add net.ipv6.conf.all.disable_ipv6 = 1 to /etc/sysctl.conf And the AVC messages should go away. I am updating the setroubleshoot plugin to reflect this info.
*** Bug 728969 has been marked as a duplicate of this bug. ***
*** Bug 674438 has been marked as a duplicate of this bug. ***
unable to disable IPV6 on linux" 1. I had already made following entries in ifcfg-eth0 : IPv6INIT=NO IPV6AUTOCONF=NO 2. Following entries were made in /etc/modprob.conf” : alias net-pf-10 off alias ipv6 off 3. These entries in /etc/sysconfig/network : IPV6INIT=NO NETWORKING_IPV6=NO 4. This line is added to /etc/modprobe.d/blaclist : blacklist ipv6 5. Also I did one more in /etc/sysctl.conf : 6. `net.ipv6.conf.all.autoconf = 0` 7. `net.ipv6.conf.accept_ra = 0` Still I am unable to disable IPV6 on linux, any thought please Help Appreciated
*** Bug 1251762 has been marked as a duplicate of this bug. ***
*** Bug 1231946 has been marked as a duplicate of this bug. ***