On Tue, Nov 3, 2015 at 9:06 PM, Scott Schmit <i.grok@xxxxxxxxxxx> wrote: > On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote: >> The IPv6 updates are breaking stuff (and probably increasing the >> attack surface): >> >> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 >> in /etc/sysctl.conf >> https://bugzilla.redhat.com/show_bug.cgi?id=1231946 >> >> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 >> in /etc/sysctl.conf >> https://bugzilla.redhat.com/show_bug.cgi?id=1251762 > > Your bugs' subjects complain that software X is ignoring configuration for > software Y. That's expected for any X & Y where X != Y. In other > words, you shouldn't expect unbound and/or dnssec-triggerd to be looking > at *kernel* configuration settings. > > Looking at the bugs' bodies, it appears that because IPv6 isn't there, > some kernel module auto-load configuration is trying to auto-load IPv6 > and SELinux is prohibiting the action. That or the tool is explicitly > trying to load the module, but I rather doubt this. > > You note the SELinux policy alert but don't identify if this actually > breaks anything. The right answer could be as simple as changing the > SELinux policy to mark this transition/action as dontaudit (or just > ignore the audit message). > > Ah, a google search for `selinux "request-module"' leads me here: > https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to > agree with the above. > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Yes in this case it doesn't break anything if you just ignore the message. I am forwarding this to the SElinux list so hopefully they can add a rule if ipv6 is disabled in the grub config don't audit this message. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
