Maintained by: NLnet Labs

unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Robert Edmonds
Wed Nov 4 19:29:37 CET 2015


Phil Mayers via Unbound-users wrote:
> On 04/11/2015 17:21, Robert Edmonds wrote:
> >Is the problem perhaps that "ipv6.disable=1" on the kernel command line
> >should be accompanied by "alias net-pf-10 off" in the modprobe
> >configuration in order to prevent useless autoloading attempts?
> 
> Is that config read by modprobe after the kernel has called it? In which
> case it'll still trigger (and deny) the probe. It's been so long since I
> looked at module loading I can't remember.

I don't know that much about SELinux.  Are these "module_request"
denials triggered at the point where the kernel is about to perform the
upcall into userspace to invoke modprobe, or are they triggered after
the modprobe runs and calls back into the kernel to request the module
load?  (If the former, then "alias net-pf-10 off" won't help, of
course.)

> >I can't see how this audit message wouldn't be triggered by basically
> >any program that creates an IPv6 socket, which should be close to any
> >program that uses the network by now?
> 
> They might be running under SELinux contexts which either permit or
> dontaudit the module load I suppose? But I agree, almost everything is going
> to be v6-aware at this point.

Right, so this looks like a duplicate of
https://bugzilla.redhat.com/show_bug.cgi?id=641836, and wow that bug has
a lot of dupes.  So this isn't an Unbound problem at all.

According to a blog post (http://danwalsh.livejournal.com/47118.html),
it would appear the better option is to disable IPv6 addressing.  Or
figure out how to get the system to deny the request without logging it
if it bothers you so much, I guess.

-- 
Robert Edmonds
edmonds at debian.org