I boot my F14 laptop with SElinux enforced. There is no wired network - but that doesn't make any difference.

When I login I see the SE error that is reported on #669047, warning that sshd isn't permitted to request the net-pf-10 / ipv6 kernel module.

I would expect sshd to start listening on the interfaces it should listen on without trigging any SElinux messages.


There is no ListenAddress configured in sshd_config, so it should "listen on all local addresses". But if sshd triggers a probe for ipv6 then it must be because there is no ipv6 in the system yet and there isn't any ipv6 local address to listen on. It seems like it doesn't do exactly as documented. Perhaps because sshd assumes that it is ok to try to use ipv6 and just let it fail if it fails? Well ... with SElinux the user will get a warning every time and it thus isn't ok.

When I look at it from a user session I can see that sshd listens on ipv4 only:

[root@local ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address     Foreign Address   State   PID/Program name
tcp        0      0 0.0.0.0:22        0.0.0.0:*         LISTEN  1394/sshd

But the ipv6 module has now been loaded anyway and the local interface now do have a ipv6 address:

[root@local ~]# lsmod|grep ipv6
ipv6                  229581  10
[root@local ~]# ifconfig
eth2      Link encap:Ethernet  HWaddr 00:12:3F:22:B1:77
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:16

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1328 (1.2 KiB)  TX bytes:1328 (1.2 KiB)

If I then try to restart sshd it thus correctly starts listening on ipv6 without any errors:

[root@local ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@local ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address     Foreign Address   State   PID/Program name
tcp        0      0 0.0.0.0:22        0.0.0.0:*         LISTEN  2176/sshd
tcp        0      0 :::22             :::*              LISTEN  2176/sshd


Hacking the sshd start script to log the output of ifconfig and lsmod when it runs I can see that when sshd is started the ipv6 module haven't been loaded and lo do not have an ipv6 address.


So what I'm trying to report is something like:

1: sshd triggers ipv6 probing which causes SElinux warnings by default. If SE is right when it denies module probing then sshd must take care not to trigger a probing.

2: sshd doesn't listen on the ipv6 interfaces, contrary to what the documentation says.

The root cause for this might be that sshd isn't started at the right place in the boot process relative to other parts. It should wait until ipv6 has been loaded ... if ipv6 is going to be loaded at all. One reason this (no longer) happens might be that the network service no longer is started by default and NetworkManager is (too) asynchronous.