Description of problem: Docker container not allowed to forward X apps to host. Version-Release number of selected component (if applicable): F24 docker-1.10.3-55.gite03ddb8.fc24.x86_64 How reproducible: 100% Steps to Reproduce: 1. docker run -it --rm --net host -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix:rw cyplo/fedora24_base bash 2. firefox 3. Fails Actual results: Unable to init server: Could not connect: Connection refused Error: cannot open display: :0.0 Expected results: Firefox window on host screen. Additional info: AVC MESSAGES-----> type=AVC msg=audit(1485973652.123:5333): avc: denied { connectto } for pid=24039 comm="firefox" path=002F746D702F2E5831312D756E69782F5830 scontext=system_u:system_r:svirt_lxc_net_t:s0:c234,c845 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 'setenforce=0' makes it work
Allowing a container to access the X Server is basically allowing it to own the machine. So you might as well turn off SELinux enforcement for this container. docker run --security-opt label:disable
Thank you for the quick revert. Allow me to bring high into everyone's attention that in bug 1398861 the issue was addressed with a patch. So I do not the reason for providing different solutions for different Fedora versions.
To take it further, it is my humble belief that the '--security-opt label:disable' suggested solution is more clean and gives more control then anything else. However it still remains my concern why provide different solutions to different fedora versions. Something to be considered by QA? Thank you.
That other bug is totally different, in the other bug the docker engine was running with the wrong context. In this case you are running a container that you want interacting with your X-Session.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days