https://bugzilla.redhat.com/show_bug.cgi?id=1151522
Bug ID: 1151522 Summary: AVC when attempting to run X application in container Product: Fedora Version: 20 Component: docker-io Assignee: lsm5@fedoraproject.org Reporter: jpazdziora@redhat.com QA Contact: extras-qa@fedoraproject.org CC: admiller@redhat.com, golang@lists.fedoraproject.org, hushan.jia@gmail.com, jperrin@centos.org, lsm5@fedoraproject.org, mattdm@redhat.com, mgoldman@redhat.com, s@shk.io, thrcka@redhat.com, vbatts@redhat.com
Description of problem:
I've tried to run Firefox in a container per
http://fabiorehm.com/blog/2014/09/11/running-gui-apps-with-docker/
I get AVC denial
type=AVC msg=audit(1412954368.37:2480): avc: denied { write } for pid=31609 comm="firefox" name="X0" dev="tmpfs" ino=23480 scontext=system_u:system_r:svirt_lxc_net_t:s0:c455,c872 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1412954368.37:2480): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fff11aa5f30 a2=6e a3=7fff11aa5f32 items=0 ppid=31585 pid=31609 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4294967295 comm=firefox exe=/usr/lib/firefox/firefox subj=system_u:system_r:svirt_lxc_net_t:s0:c455,c872 key=(null)
The target socket is /tmp/.X11-unix/X0.
Version-Release number of selected component (if applicable):
docker-io-1.2.0-2.fc20.x86_64 selinux-policy-targeted-3.12.1-183.fc20.noarch
How reproducible:
Deterministic.
Steps to Reproduce: 1. Build image and run container with Firefox per URL above.
Actual results:
Firefox window will not show up, AVC denial filed.
Expected results:
No AVC denial.
Additional info:
I've tried to enable staff_use_svirt and unprivuser_use_svirt to no avail.
When the OS in the container is Fedora 20, the AVC denials are virtually the same:
type=AVC msg=audit(1412951077.986:2362): avc: denied { write } for pid=16877 comm="firefox" name="X0" dev="tmpfs" ino=23480 scontext=system_u:system_r:svirt_lxc_net_t:s0:c260,c542 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1412951077.986:2362): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fffb0ceb820 a2=6e a3=7fffb0ceb822 items=0 ppid=12821 pid=16877 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm=firefox exe=/usr/lib64/firefox/firefox subj=system_u:system_r:svirt_lxc_net_t:s0:c260,c542 key=(null)
https://bugzilla.redhat.com/show_bug.cgi?id=1151522
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG Last Closed| |2014-10-11 11:39:54
--- Comment #1 from Daniel Walsh dwalsh@redhat.com --- You are bind mounting a random directory into a container, in order to get this to work, you have to label the directory with something that a container can write or extend the policy.
We don't want the container processes to be able to write to the X Server by default, so this is blocked.
You can disable SELinux currently using
--permissive flag at Runtime.
Soon you will be able to disable only SELinux using
--security-opt label:disable
Or you could add the rules using audit2allow.
This is not really an expected use case for docker, and I would argue that
sandbox -X -t sandbox_web_t firefox is a better way to run a contained firefox.
https://bugzilla.redhat.com/show_bug.cgi?id=1151522
Jan Pazdziora jpazdziora@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jpazdziora@redhat.com
--- Comment #2 from Jan Pazdziora jpazdziora@redhat.com --- (In reply to Daniel Walsh from comment #1)
You are bind mounting a random directory into a container, in order to get this to work, you have to label the directory with something that a container can write or extend the policy.
Wouldn't it make sense to have a boolean in the policy?
golang@lists.fedoraproject.org