Hi Phil. Sorry for the late response.
On 04.11.2015 17:35, Phil Mayers wrote: > On 04/11/2015 15:49, Tomas Hozza wrote: > >> If you have some strong technical argument for this behavior I would >> be more than glad to hear it. The reason is that similar people will >> fight hard against having Unbound as the default DNS resolver in >> Fedora, which is our ultimate plan. Ability to spare hundreds of >> emails arguing with them would be great :) > > Which "behaviour"? > > I'm honestly confused. As far as I can tell, everything is working as > designed here. I meant the situation that the user disabled the IPv6, but Unbound as IPv6 aware application triggers a request to load the module through calling the standard syscall. > The code tries to open an IPv6 socket, the kernel tries to load the module, > SELinux denies and logs this. Each of these items is by design. Which are you > suggesting should change? I think it makes sense. I'm just not that familiar with how IPv6 works in kernel, therefore I was trying to ask you for more information so I can possibly convince the Fedora user that the Unbound's behavior is expected and correct. > Is it the audit log that is annoying people? If so, the SELinux policy should > be a dontaudit. I think it is the fact that they disabled the IPv6, but some userspace component is trying to load into kernel a module they they don't want to be loaded. > Can we agree that unbound-anchor should not be reading sysctls to change it's > behaviour? Definitely. I really think Unbound should not read the file and just use standard syscall and check for errors - as it already does. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D UTC+2 (CEST) Red Hat Inc. http://cz.redhat.com
