Bug 1151522

Summary: AVC when attempting to run X application in container
Product: [Fedora] Fedora Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: docker-ioAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: admiller, dwalsh, golang-updates, hushan.jia, jpazdziora, jperrin, lsm5, mattdm, mgoldman, s, thrcka, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-11 15:39:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2014-10-10 15:24:13 UTC 
Description of problem:

I've tried to run Firefox in a container per

http://fabiorehm.com/blog/2014/09/11/running-gui-apps-with-docker/

I get AVC denial

type=AVC msg=audit(1412954368.37:2480): avc:  denied  { write } for  pid=31609 comm="firefox" name="X0" dev="tmpfs" ino=23480 scontext=system_u:system_r:svirt_lxc_net_t:s0:c455,c872 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1412954368.37:2480): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fff11aa5f30 a2=6e a3=7fff11aa5f32 items=0 ppid=31585 pid=31609 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4294967295 comm=firefox exe=/usr/lib/firefox/firefox subj=system_u:system_r:svirt_lxc_net_t:s0:c455,c872 key=(null)

The target socket is /tmp/.X11-unix/X0.

Version-Release number of selected component (if applicable):

docker-io-1.2.0-2.fc20.x86_64
selinux-policy-targeted-3.12.1-183.fc20.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Build image and run container with Firefox per URL above.

Actual results:

Firefox window will not show up, AVC denial filed.

Expected results:

No AVC denial.

Additional info:

I've tried to enable staff_use_svirt and unprivuser_use_svirt to no avail.

When the OS in the container is Fedora 20, the AVC denials are virtually the same:

type=AVC msg=audit(1412951077.986:2362): avc:  denied  { write } for  pid=16877 comm="firefox" name="X0" dev="tmpfs" ino=23480 scontext=system_u:system_r:svirt_lxc_net_t:s0:c260,c542 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1412951077.986:2362): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fffb0ceb820 a2=6e a3=7fffb0ceb822 items=0 ppid=12821 pid=16877 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm=firefox exe=/usr/lib64/firefox/firefox subj=system_u:system_r:svirt_lxc_net_t:s0:c260,c542 key=(null)
Comment 1 Daniel Walsh 2014-10-11 15:39:54 UTC 
You are bind mounting a random directory into a container, in order to get this to work, you have to label the directory with something that a container can write or extend the policy.

We don't want the container processes to be able to write to the X Server by default, so this is blocked.

You can disable SELinux currently using

--permissive flag at Runtime.

Soon you will be able to disable only SELinux using

--security-opt label:disable

Or you could add the rules using audit2allow.

This is not really an expected use case for docker, and I would argue that

sandbox -X -t sandbox_web_t firefox is a better way to run a contained firefox.
Comment 2 Jan Pazdziora (Red Hat) 2014-10-13 07:37:16 UTC 
(In reply to Daniel Walsh from comment #1)
> You are bind mounting a random directory into a container, in order to get
> this to work, you have to label the directory with something that a
> container can write or extend the policy.

Wouldn't it make sense to have a boolean in the policy?