Tired of ads? Upgrade to paid account and never see ads again!

danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
How should you disable IPV6?
danwalsh
Blogging twice in the same day, a new record...

Lots of people are out there disabling IPV6, and when you do invariably you get a flood of AVC messages about different confined domains asking the kernel to load the kernel module net-pf-10.   

type=AVC msg=audit(10/18/11 23:40:10.233:978087) : avc:  denied  { module_request } for  pid=32265 comm=pickup kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Now I am not recommending that you enable or disable IPV6, but if you do want to disable it and run with SELinux turned on, please read the following:

Eric Paris reports

"I believe the networking kernel community recommends (and it will shut up these AVCs) that IPv6 be disabled by:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

It still loads the module but unhooks almost all of the calls into the module. (apparently the IPv6 module has become so ingrained in the kernel that a number of other things, like certain firewall modules, require it. I didn't design it, I'm just telling it how it is) "


We recommend that you do not disable the ipv6 module but add

net.ipv6.conf.all.disable_ipv6 = 1

to /etc/sysctl.conf

And the AVC messages should go away.

The setroubleshoot plugin in Fedora reflects this info.



UPDATED:

After Further investigation, I am informed that:

"adding ipv6.disable=1 to the kernel command line will be
the strongest way I can think of to load the module but eliminate 
all of its functionality.."

Re: I have updated the original post.

ext_2127925

2013-08-24 08:48 am (UTC)

Tried it on F20, got lot of avcs.
Had to revert to your original per /etc/sysctl

f you want to disable IPV6 on this machine
Then you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module'
Do
add
net.ipv6.conf.all.disable_ipv6 = 1
to /etc/sysctl.conf

No HTML allowed in subject

 
   
 

(will be screened)

You are viewing danwalsh