Bug 1418405 - SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown
Summary: SELinux is preventing systemd from 'create' accesses on the unix_stream_socke...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 24
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-01 18:31 UTC by Theophanis Kontogiannis
Modified: 2023-09-14 03:53 UTC (History)
15 users (show)

Fixed In Version:
Clone Of: 1398861
Environment:
Last Closed: 2017-02-06 22:34:07 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1398861 0 unspecified CLOSED SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown. 2021-02-22 00:41:40 UTC

Description Theophanis Kontogiannis 2017-02-01 18:31:02 UTC
Description of problem:

Docker container not allowed to forward X apps to host.

Version-Release number of selected component (if applicable):

F24
docker-1.10.3-55.gite03ddb8.fc24.x86_64

How reproducible:

100%

Steps to Reproduce:
1. docker run -it --rm --net host -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix:rw cyplo/fedora24_base bash
2. firefox 
3. Fails

Actual results:
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0.0

Expected results:
Firefox window on host screen.

Additional info:

AVC MESSAGES----->   
type=AVC msg=audit(1485973652.123:5333): avc:  denied  { connectto } for  pid=24039 comm="firefox" path=002F746D702F2E5831312D756E69782F5830 scontext=system_u:system_r:svirt_lxc_net_t:s0:c234,c845 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


'setenforce=0' makes it work

Comment 1 Daniel Walsh 2017-02-01 18:55:43 UTC
Allowing a container to access the X Server is basically allowing it to own the machine.  So you might as well turn off SELinux enforcement for this container.

docker run --security-opt label:disable

Comment 2 Theophanis Kontogiannis 2017-02-02 08:49:40 UTC
Thank you for the quick revert.

Allow me to bring high into everyone's attention that in bug 1398861 the issue was addressed with a patch.

So I do not the reason for providing different solutions for different Fedora versions.

Comment 3 Theophanis Kontogiannis 2017-02-06 10:36:57 UTC
To take it further, it is my humble belief that the '--security-opt label:disable' suggested solution is more clean and gives more control then anything else.

However it still remains my concern why provide different solutions to different fedora versions.

Something to be considered by QA?

Thank you.

Comment 4 Daniel Walsh 2017-02-06 22:34:07 UTC
That other bug is totally different, in the other bug the docker engine was running with the wrong context.  In this case you are running a container that you want interacting with your X-Session.

Comment 5 Red Hat Bugzilla 2023-09-14 03:53:01 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.