On 08/19/2015 08:41 AM, Robert P. J. Day wrote:
On Wed, 19 Aug 2015, Daniel J Walsh wrote:
On 08/19/2015 07:36 AM, Robert P. J. Day wrote:
On Wed, 19 Aug 2015, Daniel J Walsh wrote:
On 08/19/2015 02:43 AM, Robert P. J. Day wrote:
On Tue, 18 Aug 2015, Robert P. J. Day wrote:
by now, i'm getting *really* good at debugging. was doing a simple
docker build (docker-1.8.1) with first few lines of Dockerfile (which
worked fine not that long ago):
FROM ubuntu:14.04
MAINTAINER Robert P. J. Day
ENV REFRESHED_AT 2015-08-18
RUN apt-get -y -q update && apt-get -y -q install nginx
... snip ...
and it was *entirely* reproducible that the instant docker started to
process that "RUN apt-get" command, the wireless connection on my
Fedora 22 laptop was blown away. grabbed this from SELinux:
===== start =====
SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:kernel_t:s0
Target Objects Unknown [ process ]
Source abrt-hook-ccpp
Source Path /usr/libexec/abrt-hook-ccpp
Port <Unknown>
Host localhost.localdomain
Source RPM Packages abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.1.5-200.fc22.x86_64
#1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-08-18 12:57:36 EDT
Last Seen 2015-08-18 12:57:36 EDT
Local ID 523c8bed-7428-49e7-b301-3a932852b135
Raw Audit Messages
type=AVC msg=audit(1439917056.327:640): avc: denied { sigchld } for pid=4555 comm="abrt-hook-ccpp" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 success=yes exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 pid=4555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null)
Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld
===== end =====
followup to the above ... i ran the suggested selinux-related
commands, but that had no apparent effect, so i'm still stuck. for
people who know docker, you'll recognize that the error occurred at
the first instruction in the Dockerfile that requires network access,
the "RUN apt-get ..." command (i already have the ubuntu base image on
my system).
i grabbed a few hundred lines from "journalctl" and stuck them here:
http://pastebin.com/KzrYMFvC. you can see the very first command there
is the docker invocation:
Aug 19 05:24:35 localhost.localdomain sudo[4190]: rpjday : TTY=pts/0
; PWD=/home/rpjday/docker/TDB/sample ; USER=root ; COMMAND=/bin/docker
build -t jamtur01/nginx .
thoughts? is it bugzilla time?
rday
Yes open a bugzilla, although this is a very strange AVC. It basically
shows abrt-hook-ccpp executing under networkmanager domain and sending
sigchld to kernel_t.
Why would networkmanager execed processes be sending a sigchld to a
kernel process?
beats me, this is way outside my comfort zone. by the way, even
though selinux was in permissive mode, i thought i'd play it safe and
just disable it entirely, so i did, rebooted, "sestatus" clearly shows
selinux disabled, but i got the same error.
i'll do it one more time shortly just to make sure it's not some
intermittent weirdness, then i'll BZ it. open to suggestions as to
anything else i might try, or add to the BZ submission.
rday
With SELinux disabled you should not be getting any AVC's
If you turn SELInux back on and do a full relabel, I think the
problem will go away.
no difference ... i edited /etc/selinux/config, set
SELINUX=enforcing, rebooted and let my system chug away relabelling,
came back up, tested again ... same result.
While I have seen both AVCs and actual blocks from selinux in
permissive mode in the past (and specifically on network stuff), if
you've disabled selinux on the host machine I don't see how it could
generate an AVC at all.
Are you certain the AVC isn't coming from the dockerized OS itself? I
could see the AVC being generated on the docker and getting reflected
back to the host somehow (I suspect critical messages from the dockers
get piped through so you're aware of them, but that's a wild guess).
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- grep me no patterns and I'll tell you no lines -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
