Bug 1259373 - SELinux is preventing rqt from connectto access on the unix_stream_socket /tmp/.X11-unix/X0
SELinux is preventing rqt from connectto access on the unix_stream_socket /tm...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
22
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-02 09:25 EDT by Jack
Modified: 2015-09-02 11:19 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-02 11:19:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jack 2015-09-02 09:25:28 EDT
Description of problem:
When I run a docker image, which as a GUI application run on the fedora 22 x86_64, SELinux posts a problem:
SELinux is preventing rqt from connectto access on the unix_stream_socket /tmp/.X11-unix/X0

Then I followed the method that the SELinux troubleshooting given:
# grep rqt /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

But it didn't work!


How reproducible:
If we run the docker image again and cat the /var/log/audit/audit.log, then we can get the value of avc is "denied".

Steps to Reproduce:
1. SELinux troubleshooting:
# grep rqt /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

2. Run the application again
$ docker run -it  --env="DISPLAY"  --volume="/tmp/.X11-unix:/tmp/.X11-unix:rw"  osrf/ros:indigo-desktop-full  rqt

3. Check the log
# grep rqt /var/log/audit/audit.log

Actual results:
After we did the above steps, we got the value of avc is "denied".
Like this:
type=AVC msg=audit(1441189678.498:46246): avc:  denied  { connectto } for  pid=3965 comm="rqt" path="/tmp/.X11-unix/X0" scontext=system_u:system_r:svirt_lxc_net_t:s0:c487,c639 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1


Expected results:
The value of avc should not be denied, then the rqt can access on unix_stream_socket /tmp/.X11-unix/X0

Thanks advanced!
Comment 1 Daniel Walsh 2015-09-02 11:19:55 EDT
As it should we do not want containerized applications working on the desktop.

Most likely you are going to have other security problems with doing this.  I would advise you to just run the container is --privileged mode.

Or you could disable just selinux

docker run --security-opt label:disabled

Note You need to log in before you can comment on or make changes to this bug.