danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
How should you disable IPV6?
danwalsh
Blogging twice in the same day, a new record...

Lots of people are out there disabling IPV6, and when you do invariably you get a flood of AVC messages about different confined domains asking the kernel to load the kernel module net-pf-10.   

type=AVC msg=audit(10/18/11 23:40:10.233:978087) : avc:  denied  { module_request } for  pid=32265 comm=pickup kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Now I am not recommending that you enable or disable IPV6, but if you do want to disable it and run with SELinux turned on, please read the following:

Eric Paris reports

"I believe the networking kernel community recommends (and it will shut up these AVCs) that IPv6 be disabled by:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

It still loads the module but unhooks almost all of the calls into the module. (apparently the IPv6 module has become so ingrained in the kernel that a number of other things, like certain firewall modules, require it. I didn't design it, I'm just telling it how it is) "


We recommend that you do not disable the ipv6 module but add

net.ipv6.conf.all.disable_ipv6 = 1

to /etc/sysctl.conf

And the AVC messages should go away.

The setroubleshoot plugin in Fedora reflects this info.



UPDATED:

After Further investigation, I am informed that:

"adding ipv6.disable=1 to the kernel command line will be
the strongest way I can think of to load the module but eliminate 
all of its functionality.."

This advice has been picked up and broadcast all over the place, including (among others) the CentOS 5 and CentOS 6 FAQs on how to disable IPv6. It seems, however, to be incomplete. While it does indeed solve the headache of various programs (notably sshd) spamming AVCs about denied module_requests for net-pf-10, it doesn't seem to actually disable IPv6.

Following the expanded advice at http://const-cast.blogspot.com/2009/11/disable-ipv6-using-sysctl-on-linux.html which suggests we add these to sysctl.conf ...
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

... a fairly vanilla CentOS 6.1 system, with bonded (eth0+eth1) interfaces, is left in a state where everything ipv6esque should be disabled:
# sysctl -a | grep disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.eth1.disable_ipv6 = 1
net.ipv6.conf.bond0.disable_ipv6 = 1

and where indeed no interfaces show any ipv6 bindings:
# ip a  | grep inet6
# ifconfig | grep inet6

but where ipv6 nonetheless shows up unexpectedly ...
# netstat -nutlp | grep ::
tcp   0   0 :::111      :::*   LISTEN    2382/rpcbind
tcp   0   0 :::38800    :::*   LISTEN    2400/rpc.statd
tcp   0   0 :::22       :::*   LISTEN    2608/sshd
udp   0   0 :::64811    :::*             2400/rpc.statd
udp   0   0 :::861      :::*             2382/rpcbind
udp   0   0 :::111      :::*             2382/rpcbind
udp   0   0 :::123      :::*             2633/ntpd

... and tcpdumps show that name resolution queries are made for AAAA records all over the place.

So the question is ...
How do you *really* disable IPv6 without subjecting yourself to AVC spam?
Or must we choose one of
  • leave ipv6 only partially pseudo-disabled as above, but no AVCs
  • use "options ipv6 disable=1" or "ipv6.disable=1", deal with AVCs
  • as above but "setsebool -P domain_kernel_load_modules 1" to make the AVCs shut up (and lose visibility to ANY inappropriate load module requests)
none of which seem particularly palatable?

I ask this here because it's your advice that seems to be the predominate voice out there for How To Do It, and it seems to not really Do It.

I have updated the original post.

danwalsh

2012-05-29 03:29 pm (UTC)

I asked a couple of kernel engineers and they state:

"adding ipv6.disable=1 to the kernel command line will be
the strongest way I can think of to load the module but eliminate all of
its functionality.."

Re: I have updated the original post.

ext_2127925

2013-08-24 08:48 am (UTC)

Tried it on F20, got lot of avcs.
Had to revert to your original per /etc/sysctl

f you want to disable IPV6 on this machine
Then you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module'
Do
add
net.ipv6.conf.all.disable_ipv6 = 1
to /etc/sysctl.conf

You are viewing danwalsh