Bug 641836 - (ipv6) disabling ipv6 gives me selinux errors
disabling ipv6 gives me selinux errors
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
15
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 669047 674438 696256 696371 703733 722751 728969 1231946 1251762 (view as bug list)
Depends On:
Blocks: dualstack Default_Local_DNS_Resolver
  Show dependency treegraph
 
Reported: 2010-10-11 04:42 EDT by Need Real Name
Modified: 2016-12-08 20:21 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-12 10:24:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2010-10-11 04:42:25 EDT
I disabled ipv6 using:

# cat /etc/modprobe.d/ipv6.conf 
install ipv6 /bin/true

and now I get avcs:

type=AVC msg=audit(1286786023.063:10): avc:  denied  { module_request } for  pid=1283 comm="named" kmod="net-pf-10" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1286786024.507:12): avc:  denied  { module_request } for  pid=1440 comm="sshd" kmod="net-pf-10" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1286786024.521:13): avc:  denied  { module_request } for  pid=1441 comm="sshd" kmod="net-pf-10" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1286786024.581:14): avc:  denied  { module_request } for  pid=1473 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1286786024.689:15): avc:  denied  { module_request } for  pid=1484 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1286786025.995:16): avc:  denied  { module_request } for  pid=1614 comm="rndc" kmod="net-pf-10" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1286786026.125:17): avc:  denied  { module_request } for  pid=1474 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1286786026.131:18): avc:  denied  { module_request } for  pid=1485 comm="sendmail" kmod="net-pf-10" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1286786026.163:19): avc:  denied  { module_request } for  pid=1709 comm="rndc" kmod="net-pf-10" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1286786026.263:20): avc:  denied  { module_request } for  pid=1739 comm="rndc" kmod="net-pf-10" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
Comment 1 Daniel Walsh 2010-10-12 10:24:15 EDT
Sadly there is not much we can do about this.  Are you seeing these as alerts?  They should be being blocked.  You can turn on the boolean 
domain_kernel_load_modules

Which will allow all confined domains to request the kernel load a module.  Turning off ipv6 causes ever app that is ipv6 aware to ask the kernel to load the ipv6 module.
Comment 2 Need Real Name 2010-10-12 11:02:36 EDT
Thanks for the response, helpful as ever.

The reason I am reporting this, is that I will see this problem in RHEL6 when I push for selinux, and I don't want this to be one of those "death by a thousand paper cuts" momemnts.

I am seeing these as alerts. Every time I login.

Web browsing with Fedora 14 with a local dns server is really slow unless I disable ipv6. Is it worth reporting a bug against bind? What should I do?

I suppose the real problem is that the config option to disable ipv6 isn't really useful.
Comment 3 Daniel Walsh 2010-10-12 13:42:47 EDT
#setsebool -P domain_kernel_load_modules 1

Will eliminate the messages.  I would open a bug report against bind, to see what is going on.
Comment 4 Need Real Name 2010-10-14 16:44:04 EDT
(the bind problem turned out to be spurious)

(In reply to comment #3)
> #setsebool -P domain_kernel_load_modules 1
> 
> Will eliminate the messages.

Does this make sense though? I'd like to know when something is trying to load a kernel module, but I'd like ipv6 disabled. There seems to be some overlap (maybe a lot of overlap) here.
Comment 5 Daniel Walsh 2011-01-12 12:00:47 EST
*** Bug 669047 has been marked as a duplicate of this bug. ***
Comment 6 Phil Mayers 2011-01-18 06:28:28 EST
(In reply to comment #4)
> (the bind problem turned out to be spurious)
> 
> (In reply to comment #3)
> > #setsebool -P domain_kernel_load_modules 1
> > 
> > Will eliminate the messages.
> 
> Does this make sense though? I'd like to know when something is trying to load
> a kernel module, but I'd like ipv6 disabled. There seems to be some overlap
> (maybe a lot of overlap) here.

Disabling IPv6 on RHEL/Fedora (which I don't advise) has always been a bit voodoo. The initscripts options don't really work because autoconfig happens in the kernel.

Rather than disabling the kernel module (which will try to be loaded every time an app opens a dual-mode AF_INET6 socket, as you are seeing), you might try this in /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

This *should* prevent all network interfaces enabling IPv6, and also stop bind doing lookups over IPv6.

Another option is to add this to /etc/sysconfig/named:

OPTIONS="-4"

However, you might also want to investigate why IPv6 is timeing out - if bind is doing IPv6 lookups then your machine must think it has a valid IPv6 address, and on June 8th you're going to have problems with a lot more than slow DNS (June 8th 2011 is "IPv6 day" when major content providers are going to add AAAA records onto their services for a 24 hour "shakedown" period).
Comment 7 Eric Paris 2011-01-21 15:31:06 EST
the sysctl's only exist if the ipv6 module has been loaded. So it's not an exact workarond....
Comment 8 Daniel Walsh 2011-04-13 14:17:20 EDT
*** Bug 696256 has been marked as a duplicate of this bug. ***
Comment 9 Mads Kiilerich 2011-04-13 15:00:28 EDT
Shouldn't it be so that either:

Fedora/RHEL supports on-demand loading of ipv6, and SE should thus by default somehow permit "all" processes to load this particular module.

or:

Fedora/RHEL doesn't support on-demand loading of ipv6 and the kernel should somehow be compiled/configured to not try to do that. The boot "scripts" (or systemd) should make sure to load the module before it is used ... if it is used and not disabled.


But what we _really_ need is an official way to disable ipv6 that doesn't show this problem.

I don't think it is within scope for Fedora/RHEL to fix or work around all the unfortunate but valid reasons there might be for disabling ipv6.
Comment 10 Daniel Walsh 2011-04-17 05:21:59 EDT
*** Bug 696371 has been marked as a duplicate of this bug. ***
Comment 11 Miroslav Grepl 2011-05-11 07:51:10 EDT
*** Bug 703733 has been marked as a duplicate of this bug. ***
Comment 12 David Hill 2011-08-03 10:57:31 EDT
I know this bug is closed, but even with ipv6 disabled, selinux is reporting errors for sshd and postfix about not being able to load the modules.
Comment 13 Daniel Walsh 2011-08-03 15:41:57 EDT
Are you getting setroubleshoot messages on this?

If so, how are you disabling ipv6?  We have tried to make setroubleshoot ignore these avc's if it can figure out you disabled ipv6.
Comment 14 David Hill 2011-08-04 09:02:41 EDT
I disabled ipv6 using 3 different methonds and only one did prevent the ipv6 module from being loaded and is adding "install ipv6 /bin/true" to /etc/modprobe.d/disable-ipv6.conf ...

Am I doing something wrong?
Comment 15 Eric Paris 2011-08-04 09:12:03 EDT
I believe the networking kernel community recommends (and it will shut up these AVCs) that IPv6 be disabled by:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

It still loads the module but unhooks almost all of the calls into the module.  (apparently the IPv6 module has become so ingrained in the kernel that a number of other things, like certain firewall modules, require it.  I didn't design it, I'm just telling it how it is)
Comment 16 Daniel Walsh 2011-08-04 16:55:03 EDT
*** Bug 722751 has been marked as a duplicate of this bug. ***
Comment 17 Daniel Walsh 2011-08-04 16:57:07 EDT
Eric Paris reports

"
I believe the networking kernel community recommends (and it will shut up these
AVCs) that IPv6 be disabled by:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

It still loads the module but unhooks almost all of the calls into the module. 
(apparently the IPv6 module has become so ingrained in the kernel that a number
of other things, like certain firewall modules, require it.  I didn't design
it, I'm just telling it how it is)
"

We recommend that you do not disable the ipv6 module but add

net.ipv6.conf.all.disable_ipv6 = 1

to /etc/sysctl.conf

And the AVC messages should go away.

I am updating the setroubleshoot plugin to reflect this info.
Comment 18 Daniel Walsh 2011-08-08 10:42:51 EDT
*** Bug 728969 has been marked as a duplicate of this bug. ***
Comment 19 Dan Winship 2012-05-03 15:21:16 EDT
*** Bug 674438 has been marked as a duplicate of this bug. ***
Comment 20 IgnitedMind 2013-04-05 09:16:58 EDT
unable to disable IPV6 on linux"

1. I had already made following entries in ifcfg-eth0 :
IPv6INIT=NO
IPV6AUTOCONF=NO
2. Following entries were made in /etc/modprob.conf” :
alias net-pf-10 off
alias ipv6 off
3. These entries in /etc/sysconfig/network :
IPV6INIT=NO
NETWORKING_IPV6=NO
4. This line is added to /etc/modprobe.d/blaclist :
blacklist ipv6
5. Also I did one more in /etc/sysctl.conf :
6. `net.ipv6.conf.all.autoconf = 0`
7. `net.ipv6.conf.accept_ra = 0`

Still I am unable to disable IPV6 on linux, any thought please

Help Appreciated
Comment 21 Tomáš Hozza 2015-11-12 10:09:51 EST
*** Bug 1251762 has been marked as a duplicate of this bug. ***
Comment 22 Tomáš Hozza 2015-11-12 10:10:01 EST
*** Bug 1231946 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.