On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote:
> The IPv6 updates are breaking stuff (and probably increasing the
> attack surface):
> 
> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
> 
> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1251762

Your bugs' subjects complain that software X is ignoring configuration for
software Y.  That's expected for any X & Y where X != Y.  In other
words, you shouldn't expect unbound and/or dnssec-triggerd to be looking
at *kernel* configuration settings.

Looking at the bugs' bodies, it appears that because IPv6 isn't there,
some kernel module auto-load configuration is trying to auto-load IPv6
and SELinux is prohibiting the action.  That or the tool is explicitly
trying to load the module, but I rather doubt this.

You note the SELinux policy alert but don't identify if this actually
breaks anything.  The right answer could be as simple as changing the
SELinux policy to mark this transition/action as dontaudit (or just
ignore the audit message).

Ah, a google search for `selinux "request-module"' leads me here:
https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to
agree with the above.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Reply via email to