On Wed, 19 Aug 2015, Daniel J Walsh wrote:
>
>
> On 08/19/2015 07:36 AM, Robert P. J. Day wrote:
> > On Wed, 19 Aug 2015, Daniel J Walsh wrote:
> >
> >> On 08/19/2015 02:43 AM, Robert P. J. Day wrote:
> >>> On Tue, 18 Aug 2015, Robert P. J. Day wrote:
> >>>
> >>>> by now, i'm getting *really* good at debugging. was doing a simple
> >>>> docker build (docker-1.8.1) with first few lines of Dockerfile (which
> >>>> worked fine not that long ago):
> >>>>
> >>>> FROM ubuntu:14.04
> >>>> MAINTAINER Robert P. J. Day
> >>>> ENV REFRESHED_AT 2015-08-18
> >>>>
> >>>> RUN apt-get -y -q update && apt-get -y -q install nginx
> >>>> ... snip ...
> >>>>
> >>>> and it was *entirely* reproducible that the instant docker started to
> >>>> process that "RUN apt-get" command, the wireless connection on my
> >>>> Fedora 22 laptop was blown away. grabbed this from SELinux:
> >>>>
> >>>> ===== start =====
> >>>>
> >>>> SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.
> >>>>
> >>>> ***** Plugin catchall (100. confidence) suggests **************************
> >>>>
> >>>> If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default.
> >>>> Then you should report this as a bug.
> >>>> You can generate a local policy module to allow this access.
> >>>> Do
> >>>> allow this access for now by executing:
> >>>> # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
> >>>> # semodule -i mypol.pp
> >>>>
> >>>> Additional Information:
> >>>> Source Context system_u:system_r:NetworkManager_t:s0
> >>>> Target Context system_u:system_r:kernel_t:s0
> >>>> Target Objects Unknown [ process ]
> >>>> Source abrt-hook-ccpp
> >>>> Source Path /usr/libexec/abrt-hook-ccpp
> >>>> Port <Unknown>
> >>>> Host localhost.localdomain
> >>>> Source RPM Packages abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
> >>>> Target RPM Packages
> >>>> Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch
> >>>> Selinux Enabled True
> >>>> Policy Type targeted
> >>>> Enforcing Mode Permissive
> >>>> Host Name localhost.localdomain
> >>>> Platform Linux localhost.localdomain 4.1.5-200.fc22.x86_64
> >>>> #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64
> >>>> Alert Count 1
> >>>> First Seen 2015-08-18 12:57:36 EDT
> >>>> Last Seen 2015-08-18 12:57:36 EDT
> >>>> Local ID 523c8bed-7428-49e7-b301-3a932852b135
> >>>>
> >>>> Raw Audit Messages
> >>>> type=AVC msg=audit(1439917056.327:640): avc: denied { sigchld } for pid=4555 comm="abrt-hook-ccpp" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
> >>>>
> >>>>
> >>>> type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null)
> >>>>
> >>>> Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld
> >>>>
> >>>> ===== end =====
> >>> followup to the above ... i ran the suggested selinux-related
> >>> commands, but that had no apparent effect, so i'm still stuck. for
> >>> people who know docker, you'll recognize that the error occurred at
> >>> the first instruction in the Dockerfile that requires network access,
> >>> the "RUN apt-get ..." command (i already have the ubuntu base image on
> >>> my system).
> >>>
> >>> i grabbed a few hundred lines from "journalctl" and stuck them here:
> >>> http://pastebin.com/KzrYMFvC. you can see the very first command there
> >>> is the docker invocation:
> >>>
> >>> Aug 19 05:24:35 localhost.localdomain sudo[4190]: rpjday : TTY=pts/0
> >>> ; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker
> >>> build -t jamtur01/nginx .
> >>>
> >>> thoughts? is it bugzilla time?
> >>>
> >>> rday
> >>>
> >> Yes open a bugzilla, although this is a very strange AVC. It basically
> >> shows abrt-hook-ccpp executing under networkmanager domain and sending
> >> sigchld to kernel_t.
> >>
> >> Why would networkmanager execed processes be sending a sigchld to a
> >> kernel process?
> > beats me, this is way outside my comfort zone. by the way, even
> > though selinux was in permissive mode, i thought i'd play it safe and
> > just disable it entirely, so i did, rebooted, "sestatus" clearly shows
> > selinux disabled, but i got the same error.
> >
> > i'll do it one more time shortly just to make sure it's not some
> > intermittent weirdness, then i'll BZ it. open to suggestions as to
> > anything else i might try, or add to the BZ submission.
> >
> > rday
> >
> With SELinux disabled you should not be getting any AVC's
>
> If you turn SELInux back on and do a full relabel, I think the
> problem will go away.
no difference ... i edited /etc/selinux/config, set
SELINUX=enforcing, rebooted and let my system chug away relabelling,
came back up, tested again ... same result.
rday
--
========================================================================
Robert P. J. Day Ottawa, Ontario, CANADA
http://crashcourse.ca
Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
========================================================================
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
