AVC "module_request" seen for various services for module "net-pf-10"

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Enterprise Linux 7 and later
- SELinux
- IPv6

Issue

The following AVC can be seen in the audit log for various services and processes, all being related to net-pf-10 kernel module

type=PROCTITLE msg=... : proctitle=...
type=SYSCALL msg=... : arch=x86_64 syscall=socket success=no exit=EAFNOSUPPORT(Address family not supported by protocol) a0=inet6 a1=SOCK_DGRAM a2=ip ...
type=AVC msg=... : avc:  denied  { module_request } for  ... comm=unbound-anchor kmod="net-pf-10" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Here above, the service is unbound-anchor, but it may be some other process.

Resolution

Follow the procedure described in Diagnostic Steps section.
If this is a match, proceed further, otherwise open a case on the Customer Portal referencing this solution.

Apply the alternative solution to disable IPv6 addressing (i.e. using sysctl settings), as explained in How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux?.

Root Cause

This is due to how IPv6 is disabled on the system. The How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux? solution proposes to use ipv6.disable=1 on the kernel command line but this method leads to getting AVCs when the glibc resolver executes.

Diagnostic Steps

Verify that ipv6.disable is specified on the kernel command line

# grep ipv6.disable /proc/cmdline
BOOT_IMAGE=... ipv6.disable=1 ...

SBR

Shells

Product(s)

Red Hat Enterprise Linux

Components

policy

Category

Customize or extend

Tags

ipv6

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.