On 08/19/2015 07:36 AM, Robert P. J. Day wrote:
> On Wed, 19 Aug 2015, Daniel J Walsh wrote:
>
>> On 08/19/2015 02:43 AM, Robert P. J. Day wrote:
>>> On Tue, 18 Aug 2015, Robert P. J. Day wrote:
>>>
>>>> by now, i'm getting *really* good at debugging. was doing a simple
>>>> docker build (docker-1.8.1) with first few lines of Dockerfile (which
>>>> worked fine not that long ago):
>>>>
>>>> FROM ubuntu:14.04
>>>> MAINTAINER Robert P. J. Day
>>>> ENV REFRESHED_AT 2015-08-18
>>>>
>>>> RUN apt-get -y -q update && apt-get -y -q install nginx
>>>> ... snip ...
>>>>
>>>> and it was *entirely* reproducible that the instant docker started to
>>>> process that "RUN apt-get" command, the wireless connection on my
>>>> Fedora 22 laptop was blown away. grabbed this from SELinux:
>>>>
>>>> ===== start =====
>>>>
>>>> SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.
>>>>
>>>> ***** Plugin catchall (100. confidence) suggests **************************
>>>>
>>>> If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default.
>>>> Then you should report this as a bug.
>>>> You can generate a local policy module to allow this access.
>>>> Do
>>>> allow this access for now by executing:
>>>> # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
>>>> # semodule -i mypol.pp
>>>>
>>>> Additional Information:
>>>> Source Context system_u:system_r:NetworkManager_t:s0
>>>> Target Context system_u:system_r:kernel_t:s0
>>>> Target Objects Unknown [ process ]
>>>> Source abrt-hook-ccpp
>>>> Source Path /usr/libexec/abrt-hook-ccpp
>>>> Port <Unknown>
>>>> Host localhost.localdomain
>>>> Source RPM Packages abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
>>>> Target RPM Packages
>>>> Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> Enforcing Mode Permissive
>>>> Host Name localhost.localdomain
>>>> Platform Linux localhost.localdomain 4.1.5-200.fc22.x86_64
>>>> #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64
>>>> Alert Count 1
>>>> First Seen 2015-08-18 12:57:36 EDT
>>>> Last Seen 2015-08-18 12:57:36 EDT
>>>> Local ID 523c8bed-7428-49e7-b301-3a932852b135
>>>>
>>>> Raw Audit Messages
>>>> type=AVC msg=audit(1439917056.327:640): avc: denied { sigchld } for pid=4555 comm="abrt-hook-ccpp" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
>>>>
>>>>
>>>> type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null)
>>>>
>>>> Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld
>>>>
>>>> ===== end =====
>>> followup to the above ... i ran the suggested selinux-related
>>> commands, but that had no apparent effect, so i'm still stuck. for
>>> people who know docker, you'll recognize that the error occurred at
>>> the first instruction in the Dockerfile that requires network access,
>>> the "RUN apt-get ..." command (i already have the ubuntu base image on
>>> my system).
>>>
>>> i grabbed a few hundred lines from "journalctl" and stuck them here:
>>> http://pastebin.com/KzrYMFvC. you can see the very first command there
>>> is the docker invocation:
>>>
>>> Aug 19 05:24:35 localhost.localdomain sudo[4190]: rpjday : TTY=pts/0
>>> ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker
>>> build -t jamtur01/nginx .
>>>
>>> thoughts? is it bugzilla time?
>>>
>>> rday
>>>
>> Yes open a bugzilla, although this is a very strange AVC. It basically
>> shows abrt-hook-ccpp executing under networkmanager domain and sending
>> sigchld to kernel_t.
>>
>> Why would networkmanager execed processes be sending a sigchld to a
>> kernel process?
> beats me, this is way outside my comfort zone. by the way, even
> though selinux was in permissive mode, i thought i'd play it safe and
> just disable it entirely, so i did, rebooted, "sestatus" clearly shows
> selinux disabled, but i got the same error.
>
> i'll do it one more time shortly just to make sure it's not some
> intermittent weirdness, then i'll BZ it. open to suggestions as to
> anything else i might try, or add to the BZ submission.
>
> rday
>
With SELinux disabled you should not be getting any AVC's
If you turn SELInux back on and do a full relabel, I think the problem
will go away.
Something is crashing though which is causing the AVC
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
