Description of problem:

Most of our customers disable IPv6 through using "ipv6.disable=1" kernel command line parameter.
On SELinux enabled systems (which is the standard), this leads to getting "module_request" AVCs, as shown in the example below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=AVC msg=audit(03/02/2022 15:18:00.803:62) : avc: denied

for pid=1697 comm=dhcpd kmod="net-pf-10" scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This happens because the glibc resolver tries IPv6 in parallel to IPv4.

For now, there is no way to hide this, either using audit or a selinux rule:
1. audit cannot filter on "module_request"
2. selinux rule cannot filter on "kmod=net-pf-10"

Filtering out every "module_request" is not wise, so we need some enhancement to filter out only "known modules" for example.

Version-Release number of selected component (if applicable):

RHEL7 and later

How reproducible:

Always

Steps to Reproduce:
1. Add ipv6.disable=1 to kernel command line
2. Start a service that will use the glibc resolver, e.g. "dhcpd" with following configuration snippet

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
ddns-update-style interim;
update-static-leases on;
ignore client-updates;
authoritative;
allow booting;
allow bootp;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results:

AVC

Expected results:

AVC but able to hide it wisely