SELinux & disabled IPv6 (was: Re: Fedora IPv6 testing and improvements - request for ideas)

[Moez Roy]

On Tue, Nov 3, 2015 at 9:06 PM, Scott Schmit <i.grok at comcast.net> wrote:
> On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote:
>> The IPv6 updates are breaking stuff (and probably increasing the
>> attack surface):
>>
>> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
>> in /etc/sysctl.conf
>> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
>>
>> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
>> in /etc/sysctl.conf
>> https://bugzilla.redhat.com/show_bug.cgi?id=1251762
>
> Your bugs' subjects complain that software X is ignoring configuration for
> software Y.  That's expected for any X & Y where X != Y.  In other
> words, you shouldn't expect unbound and/or dnssec-triggerd to be looking
> at *kernel* configuration settings.
>
> Looking at the bugs' bodies, it appears that because IPv6 isn't there,
> some kernel module auto-load configuration is trying to auto-load IPv6
> and SELinux is prohibiting the action.  That or the tool is explicitly
> trying to load the module, but I rather doubt this.
>
> You note the SELinux policy alert but don't identify if this actually
> breaks anything.  The right answer could be as simple as changing the
> SELinux policy to mark this transition/action as dontaudit (or just
> ignore the audit message).
>
> Ah, a google search for `selinux "request-module"' leads me here:
> https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to
> agree with the above.
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Yes in this case it doesn't break anything if you just ignore the
message. I am forwarding this to the SElinux list so hopefully they
can add a rule if ipv6 is disabled in the grub config don't audit this
message.