danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
How should you disable IPV6?
danwalsh
Blogging twice in the same day, a new record...

Lots of people are out there disabling IPV6, and when you do invariably you get a flood of AVC messages about different confined domains asking the kernel to load the kernel module net-pf-10.   

type=AVC msg=audit(10/18/11 23:40:10.233:978087) : avc:  denied  { module_request } for  pid=32265 comm=pickup kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Now I am not recommending that you enable or disable IPV6, but if you do want to disable it and run with SELinux turned on, please read the following:

Eric Paris reports

"I believe the networking kernel community recommends (and it will shut up these AVCs) that IPv6 be disabled by:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

It still loads the module but unhooks almost all of the calls into the module. (apparently the IPv6 module has become so ingrained in the kernel that a number of other things, like certain firewall modules, require it. I didn't design it, I'm just telling it how it is) "


We recommend that you do not disable the ipv6 module but add

net.ipv6.conf.all.disable_ipv6 = 1

to /etc/sysctl.conf

And the AVC messages should go away.

The setroubleshoot plugin in Fedora reflects this info.



UPDATED:

After Further investigation, I am informed that:

"adding ipv6.disable=1 to the kernel command line will be
the strongest way I can think of to load the module but eliminate 
all of its functionality.."

I have updated the original post.

danwalsh

2012-05-29 03:29 pm (UTC)

I asked a couple of kernel engineers and they state:

"adding ipv6.disable=1 to the kernel command line will be
the strongest way I can think of to load the module but eliminate all of
its functionality.."

Re: I have updated the original post.

ext_2127925

2013-08-24 08:48 am (UTC)

Tried it on F20, got lot of avcs.
Had to revert to your original per /etc/sysctl

f you want to disable IPV6 on this machine
Then you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module'
Do
add
net.ipv6.conf.all.disable_ipv6 = 1
to /etc/sysctl.conf

You are viewing danwalsh