On 08/19/2015 07:36 AM, Robert P. J. Day wrote: > On Wed, 19 Aug 2015, Daniel J Walsh wrote: > >> On 08/19/2015 02:43 AM, Robert P. J. Day wrote: >>> On Tue, 18 Aug 2015, Robert P. J. Day wrote: >>> >>>> by now, i'm getting *really* good at debugging. was doing a simple >>>> docker build (docker-1.8.1) with first few lines of Dockerfile (which >>>> worked fine not that long ago): >>>> >>>> FROM ubuntu:14.04 >>>> MAINTAINER Robert P. J. Day >>>> ENV REFRESHED_AT 2015-08-18 >>>> >>>> RUN apt-get -y -q update && apt-get -y -q install nginx >>>> ... snip ... >>>> >>>> and it was *entirely* reproducible that the instant docker started to >>>> process that "RUN apt-get" command, the wireless connection on my >>>> Fedora 22 laptop was blown away. grabbed this from SELinux: >>>> >>>> ===== start ===== >>>> >>>> SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process. >>>> >>>> ***** Plugin catchall (100. confidence) suggests ************************** >>>> >>>> If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default. >>>> Then you should report this as a bug. >>>> You can generate a local policy module to allow this access. >>>> Do >>>> allow this access for now by executing: >>>> # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol >>>> # semodule -i mypol.pp >>>> >>>> Additional Information: >>>> Source Context system_u:system_r:NetworkManager_t:s0 >>>> Target Context system_u:system_r:kernel_t:s0 >>>> Target Objects Unknown [ process ] >>>> Source abrt-hook-ccpp >>>> Source Path /usr/libexec/abrt-hook-ccpp >>>> Port <Unknown> >>>> Host localhost.localdomain >>>> Source RPM Packages abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64 >>>> Target RPM Packages >>>> Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch >>>> Selinux Enabled True >>>> Policy Type targeted >>>> Enforcing Mode Permissive >>>> Host Name localhost.localdomain >>>> Platform Linux localhost.localdomain 4.1.5-200.fc22.x86_64 >>>> #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64 >>>> Alert Count 1 >>>> First Seen 2015-08-18 12:57:36 EDT >>>> Last Seen 2015-08-18 12:57:36 EDT >>>> Local ID 523c8bed-7428-49e7-b301-3a932852b135 >>>> >>>> Raw Audit Messages >>>> type=AVC msg=audit(1439917056.327:640): avc: denied { sigchld } for pid=4555 comm="abrt-hook-ccpp" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 >>>> >>>> >>>> type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null) >>>> >>>> Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld >>>> >>>> ===== end ===== >>> followup to the above ... i ran the suggested selinux-related >>> commands, but that had no apparent effect, so i'm still stuck. for >>> people who know docker, you'll recognize that the error occurred at >>> the first instruction in the Dockerfile that requires network access, >>> the "RUN apt-get ..." command (i already have the ubuntu base image on >>> my system). >>> >>> i grabbed a few hundred lines from "journalctl" and stuck them here: >>> http://pastebin.com/KzrYMFvC. you can see the very first command there >>> is the docker invocation: >>> >>> Aug 19 05:24:35 localhost.localdomain sudo[4190]: rpjday : TTY=pts/0 >>> ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker >>> build -t jamtur01/nginx . >>> >>> thoughts? is it bugzilla time? >>> >>> rday >>> >> Yes open a bugzilla, although this is a very strange AVC. It basically >> shows abrt-hook-ccpp executing under networkmanager domain and sending >> sigchld to kernel_t. >> >> Why would networkmanager execed processes be sending a sigchld to a >> kernel process? > beats me, this is way outside my comfort zone. by the way, even > though selinux was in permissive mode, i thought i'd play it safe and > just disable it entirely, so i did, rebooted, "sestatus" clearly shows > selinux disabled, but i got the same error. > > i'll do it one more time shortly just to make sure it's not some > intermittent weirdness, then i'll BZ it. open to suggestions as to > anything else i might try, or add to the BZ submission. > > rday > With SELinux disabled you should not be getting any AVC's If you turn SELInux back on and do a full relabel, I think the problem will go away. Something is crashing though which is causing the AVC -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org