Bug 974708 - module_request denied on ppc64
module_request denied on ppc64
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-14 17:48 EDT by Dalibor Pospíšil
Modified: 2013-06-18 11:29 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-15 06:46:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dalibor Pospíšil 2013-06-14 17:48:50 EDT
Description of problem:

An AVC appear while executing linked test only on ppc64.

type=AVC msg=audit(1371251077.590:6): avc:  denied  { module_request } for  pid=1409 comm="rpc.statd" kmod="net-pf-10" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. run linked test

Actual results:
AVC is generated

Expected results:
no AVC appears


Additional info:
the test disables IPv6 by kernel boot option 'ipv6.disable=1'
Comment 2 Daniel Walsh 2013-06-15 06:45:58 EDT
Well the problem is, you did not disable ipv6 properly so all daemons that use the network will attempt to load ipv6.  Which we do not want to allow.

http://danwalsh.livejournal.com/47118.html
Comment 3 Dalibor Pospíšil 2013-06-17 16:45:19 EDT
(In reply to Daniel Walsh from comment #2)
> Well the problem is, you did not disable ipv6 properly so all daemons that
> use the network will attempt to load ipv6.  Which we do not want to allow.
> 
> http://danwalsh.livejournal.com/47118.html

I have found out that it some cases it is not sufficient to disable IPv6 just by disabling it by net.ipv6.conf.all.disable_ipv6 = 1. The kernel option is really what I need to reproduce some issues.

The strange thing is that those AVCs appear only on ppc64 architecture.

What actions would you recommend to allow usage of the kernel option and get rid of those AVCs at the same time?

Note You need to log in before you can comment on or make changes to this bug.