Dan Walsh's Blog

Got SELinux?

Previous Entry Add to Memories Share Next Entry
How should you disable IPV6?
Blogging twice in the same day, a new record...

Lots of people are out there disabling IPV6, and when you do invariably you get a flood of AVC messages about different confined domains asking the kernel to load the kernel module net-pf-10.   

type=AVC msg=audit(10/18/11 23:40:10.233:978087) : avc:  denied  { module_request } for  pid=32265 comm=pickup kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Now I am not recommending that you enable or disable IPV6, but if you do want to disable it and run with SELinux turned on, please read the following:

Eric Paris reports

"I believe the networking kernel community recommends (and it will shut up these AVCs) that IPv6 be disabled by:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

It still loads the module but unhooks almost all of the calls into the module. (apparently the IPv6 module has become so ingrained in the kernel that a number of other things, like certain firewall modules, require it. I didn't design it, I'm just telling it how it is) "

We recommend that you do not disable the ipv6 module but add

net.ipv6.conf.all.disable_ipv6 = 1

to /etc/sysctl.conf

And the AVC messages should go away.

The setroubleshoot plugin in Fedora reflects this info.


After Further investigation, I am informed that:

"adding ipv6.disable=1 to the kernel command line will be
the strongest way I can think of to load the module but eliminate 
all of its functionality.."

This advice has been picked up and broadcast all over the place, including (among others) the CentOS 5 and CentOS 6 FAQs on how to disable IPv6. It seems, however, to be incomplete. While it does indeed solve the headache of various programs (notably sshd) spamming AVCs about denied module_requests for net-pf-10, it doesn't seem to actually disable IPv6.

Following the expanded advice at http://const-cast.blogspot.com/2009/11/disable-ipv6-using-sysctl-on-linux.html which suggests we add these to sysctl.conf ...
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

... a fairly vanilla CentOS 6.1 system, with bonded (eth0+eth1) interfaces, is left in a state where everything ipv6esque should be disabled:
# sysctl -a | grep disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1
net.ipv6.conf.bond0.disable_ipv6 = 1

and where indeed no interfaces show any ipv6 bindings:
# ip a  | grep inet6
# ifconfig | grep inet6

but where ipv6 nonetheless shows up unexpectedly ...
# netstat -nutlp | grep ::
tcp   0   0 :::111      :::*   LISTEN    2382/rpcbind
tcp   0   0 :::38800    :::*   LISTEN    2400/rpc.statd
tcp   0   0 :::22       :::*   LISTEN    2608/sshd
udp   0   0 :::64811    :::*             2400/rpc.statd
udp   0   0 :::861      :::*             2382/rpcbind
udp   0   0 :::111      :::*             2382/rpcbind
udp   0   0 :::123      :::*             2633/ntpd

... and tcpdumps show that name resolution queries are made for AAAA records all over the place.

So the question is ...
How do you *really* disable IPv6 without subjecting yourself to AVC spam?
Or must we choose one of
  • leave ipv6 only partially pseudo-disabled as above, but no AVCs
  • use "options ipv6 disable=1" or "ipv6.disable=1", deal with AVCs
  • as above but "setsebool -P domain_kernel_load_modules 1" to make the AVCs shut up (and lose visibility to ANY inappropriate load module requests)
none of which seem particularly palatable?

I ask this here because it's your advice that seems to be the predominate voice out there for How To Do It, and it seems to not really Do It.

No HTML allowed in subject


(will be screened)

You are viewing danwalsh