by now, i'm getting *really* good at debugging. was doing a simple
docker build (docker-1.8.1) with first few lines of Dockerfile (which
worked fine not that long ago):
FROM ubuntu:14.04
MAINTAINER Robert P. J. Day
ENV REFRESHED_AT 2015-08-18
RUN apt-get -y -q update && apt-get -y -q install nginx
... snip ...
and it was *entirely* reproducible that the instant docker started to
process that "RUN apt-get" command, the wireless connection on my
Fedora 22 laptop was blown away. grabbed this from SELinux:
===== start =====
SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sigchld access on a
process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled
kernel_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:kernel_t:s0
Target Objects Unknown [ process ]
Source abrt-hook-ccpp
Source Path /usr/libexec/abrt-hook-ccpp
Port <Unknown>
Host localhost.localdomain
Source RPM Packages abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.1.5-200.fc22.x86_64
#1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-08-18 12:57:36 EDT
Last Seen 2015-08-18 12:57:36 EDT
Local ID 523c8bed-7428-49e7-b301-3a932852b135
Raw Audit Messages
type=AVC msg=audit(1439917056.327:640): avc: denied { sigchld } for pid=4555
comm="abrt-hook-ccpp" scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1439917056.327:640): arch=x86_64 syscall=wait4 success=yes
exit=1273 a0=4f9 a1=7fffdb95f19c a2=0 a3=0 items=0 ppid=131 pid=4555 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0
key=(null)
Hash: abrt-hook-ccpp,NetworkManager_t,kernel_t,process,sigchld
===== end =====
i grabbed a few hundred lines of "journalctl" output that show all
sorts of evil nonsense happening with networking, but it would appear
that i'm not the only one seeing this issue:
https://bugzilla.redhat.com/buglist.cgi?quicksearch=selinux%20preventing%...
so it's not clear whether there's a bugzilla here or not -- i get the
feeling top men are already on this. top men.
rday
--
========================================================================
Robert P. J. Day Ottawa, Ontario, CANADA
http://crashcourse.ca
Twitter:
http://twitter.com/rpjday
LinkedIn:
http://ca.linkedin.com/in/rpjday
========================================================================