Description of problem: When I run a docker image, which as a GUI application run on the fedora 22 x86_64, SELinux posts a problem: SELinux is preventing rqt from connectto access on the unix_stream_socket /tmp/.X11-unix/X0 Then I followed the method that the SELinux troubleshooting given: # grep rqt /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp But it didn't work! How reproducible: If we run the docker image again and cat the /var/log/audit/audit.log, then we can get the value of avc is "denied". Steps to Reproduce: 1. SELinux troubleshooting: # grep rqt /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp 2. Run the application again $ docker run -it --env="DISPLAY" --volume="/tmp/.X11-unix:/tmp/.X11-unix:rw" osrf/ros:indigo-desktop-full rqt 3. Check the log # grep rqt /var/log/audit/audit.log Actual results: After we did the above steps, we got the value of avc is "denied". Like this: type=AVC msg=audit(1441189678.498:46246): avc: denied { connectto } for pid=3965 comm="rqt" path="/tmp/.X11-unix/X0" scontext=system_u:system_r:svirt_lxc_net_t:s0:c487,c639 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Expected results: The value of avc should not be denied, then the rqt can access on unix_stream_socket /tmp/.X11-unix/X0 Thanks advanced!
As it should we do not want containerized applications working on the desktop. Most likely you are going to have other security problems with doing this. I would advise you to just run the container is --privileged mode. Or you could disable just selinux docker run --security-opt label:disabled