Bug 1151522 - AVC when attempting to run X application in container
Summary: AVC when attempting to run X application in container
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: docker-io
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-10 15:24 UTC by Jan Pazdziora (Red Hat)
Modified: 2014-10-13 07:37 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-10-11 15:39:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora (Red Hat) 2014-10-10 15:24:13 UTC 
Description of problem:

I've tried to run Firefox in a container per

http://fabiorehm.com/blog/2014/09/11/running-gui-apps-with-docker/

I get AVC denial

type=AVC msg=audit(1412954368.37:2480): avc:  denied  { write } for  pid=31609 comm="firefox" name="X0" dev="tmpfs" ino=23480 scontext=system_u:system_r:svirt_lxc_net_t:s0:c455,c872 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1412954368.37:2480): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fff11aa5f30 a2=6e a3=7fff11aa5f32 items=0 ppid=31585 pid=31609 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4294967295 comm=firefox exe=/usr/lib/firefox/firefox subj=system_u:system_r:svirt_lxc_net_t:s0:c455,c872 key=(null)

The target socket is /tmp/.X11-unix/X0.

Version-Release number of selected component (if applicable):

docker-io-1.2.0-2.fc20.x86_64
selinux-policy-targeted-3.12.1-183.fc20.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Build image and run container with Firefox per URL above.

Actual results:

Firefox window will not show up, AVC denial filed.

Expected results:

No AVC denial.

Additional info:

I've tried to enable staff_use_svirt and unprivuser_use_svirt to no avail.

When the OS in the container is Fedora 20, the AVC denials are virtually the same:

type=AVC msg=audit(1412951077.986:2362): avc:  denied  { write } for  pid=16877 comm="firefox" name="X0" dev="tmpfs" ino=23480 scontext=system_u:system_r:svirt_lxc_net_t:s0:c260,c542 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1412951077.986:2362): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fffb0ceb820 a2=6e a3=7fffb0ceb822 items=0 ppid=12821 pid=16877 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm=firefox exe=/usr/lib64/firefox/firefox subj=system_u:system_r:svirt_lxc_net_t:s0:c260,c542 key=(null)
Comment 1 Daniel Walsh 2014-10-11 15:39:54 UTC 
You are bind mounting a random directory into a container, in order to get this to work, you have to label the directory with something that a container can write or extend the policy.

We don't want the container processes to be able to write to the X Server by default, so this is blocked.

You can disable SELinux currently using

--permissive flag at Runtime.

Soon you will be able to disable only SELinux using

--security-opt label:disable

Or you could add the rules using audit2allow.

This is not really an expected use case for docker, and I would argue that

sandbox -X -t sandbox_web_t firefox is a better way to run a contained firefox.
Comment 2 Jan Pazdziora (Red Hat) 2014-10-13 07:37:16 UTC 
(In reply to Daniel Walsh from comment #1)
> You are bind mounting a random directory into a container, in order to get
> this to work, you have to label the directory with something that a
> container can write or extend the policy.

Wouldn't it make sense to have a boolean in the policy?
Note You need to log in before you can comment on or make changes to this bug.