On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote: > The IPv6 updates are breaking stuff (and probably increasing the > attack surface): > > Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > > Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1251762
Your bugs' subjects complain that software X is ignoring configuration for software Y. That's expected for any X & Y where X != Y. In other words, you shouldn't expect unbound and/or dnssec-triggerd to be looking at *kernel* configuration settings. Looking at the bugs' bodies, it appears that because IPv6 isn't there, some kernel module auto-load configuration is trying to auto-load IPv6 and SELinux is prohibiting the action. That or the tool is explicitly trying to load the module, but I rather doubt this. You note the SELinux policy alert but don't identify if this actually breaks anything. The right answer could be as simple as changing the SELinux policy to mark this transition/action as dontaudit (or just ignore the audit message). Ah, a google search for `selinux "request-module"' leads me here: https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to agree with the above.
smime.p7s
Description: S/MIME cryptographic signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
