RFE: be able to filter out AVCs based on operation and "kmod" field

[rgbriggs]

Many administrators disable IPv6 through using "ipv6.disable=1" kernel command line parameter. On SELinux enabled systems (which is the standard), this leads to getting "module_request" AVCs, as shown in the example below: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(2022-10-14 01:31:46.241:157) : proctitle=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid type=AVC msg=audit(2022-10-14 01:31:46.241:157) : avc: denied { module_request } for pid=15612 comm=dhcpd kmod="net-pf-10" scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 type=SYSCALL msg=audit(2022-10-14 01:31:46.241:157) : arch=x86_64 syscall=socket success=no exit=EAFNOSUPPORT(Address family not supported by protocol) a0=inet6 a1=SOCK_DGRAM a2=udp a3=0x31 items=0 ppid=1 pid=15612 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhcpd exe=/usr/sbin/dhcpd subj=system_u:system_r:dhcpd_t:s0 key=(null) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This happens because the glibc resolver tries IPv6 in parallel to IPv4.

For now, there is no way to hide this, either using audit or a selinux rule:

1. audit cannot filter on "module_request"
2. selinux rule cannot filter on "kmod=net-pf-10"

Filtering out every "module_request" is not wise, so we need some enhancement to filter out only "known modules" for example.

Steps to Reproduce:

1. Add ipv6.disable=1 to kernel command line

2. Start a service that will use the glibc resolver, e.g. "dhcpd" with following configuration snippet

   -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- ddns-update-style interim; update-static-leases on; ignore client-updates; authoritative; allow booting; allow bootp; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results: AVC

Expected results: AVC but able to hide it wisely

See also: https://bugzilla.redhat.com/show_bug.cgi?id=2060017

[pcmoore]

NOTE: The Red Hat bugzilla entry requires a login and is not publicly accessible.

[pcmoore]

That's interesting. I haven't traced the code path in question, but a AVC denial indicates that SELinux is blocking the module request due to the loaded policy (i.e. dhcp_t is not allowed to load kernel modules), not because "ipv6.disable" was specified on the kernel command line.

Has anyone considered simply making better use of SELinux's dontaudit rules to hide these failed module_request operations?

[zpytela]

That's interesting. I haven't traced the code path in question, but a AVC denial indicates that SELinux is blocking the module request due to the loaded policy (i.e. dhcp_t is not allowed to load kernel modules), not because "ipv6.disable" was specified on the kernel command line. That's correct, and the bz is about rich filtering options for audit.

Has anyone considered simply making better use of SELinux's dontaudit rules to hide these failed module_request operations?

My standpoint it that if not allowed, such denials should rather be exposed than dontaudited.

[rgbriggs]

On 2023-06-06 03:17, Zdeněk Pytela wrote:

That's correct, and the bz is about rich filtering options for audit.

This could still miss early events before audit rules are in place.

Has anyone considered simply making better use of SELinux's dontaudit rules to hide these failed module_request operations? My standpoint it that if not allowed, such denials should rather be exposed than dontaudited.

My first thought was to see if there was a way to configure glibc to disable IPv6, eliminating the source of the problem?

[pcmoore]

My standpoint it that if not allowed, such denials should rather be exposed than dontaudited.

That's a reasonable position, I was simply mentioning it as a solution to the problem.

[pcmoore]

My first thought was to see if there was a way to configure glibc to disable IPv6, eliminating the source of the problem?

I personally haven't tried it, but one could block the creation of IPv6 sockets with libseccomp/seccomp by blocking the socket(AF_INET6, ...) syscall. As long as the application handles this properly and falls back to using AF_INET everything should be okay.

One could trial this fairly easily with the systemd RestrictAddressFamilies option:

• https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictAddressFamilies=