-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-8.5.0
Description of problem:
Most of our customers disable IPv6 through using "ipv6.disable=1" kernel command line parameter.
On SELinux enabled systems (which is the standard), this leads to getting "module_request" AVCs, as shown in the example below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=AVC msg=audit(03/02/2022 15:18:00.803:62) : avc: denied
for pid=1697 comm=dhcpd kmod="net-pf-10" scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
This happens because the glibc resolver tries IPv6 in parallel to IPv4.
For now, there is no way to hide this, either using audit or a selinux rule:
1. audit cannot filter on "module_request"
2. selinux rule cannot filter on "kmod=net-pf-10"
Filtering out every "module_request" is not wise, so we need some enhancement to filter out only "known modules" for example.
Version-Release number of selected component (if applicable):
RHEL7 and later
How reproducible:
Always
Steps to Reproduce:
1. Add ipv6.disable=1 to kernel command line
2. Start a service that will use the glibc resolver, e.g. "dhcpd" with following configuration snippet
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
ddns-update-style interim;
update-static-leases on;
ignore client-updates;
authoritative;
allow booting;
allow bootp;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Actual results:
AVC
Expected results:
AVC but able to hide it wisely