Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1418405 - SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown [NEEDINFO]
Summary: SELinux is preventing systemd from 'create' accesses on the unix_stream_socke...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 24
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-01 18:31 UTC by Theophanis Kontogiannis
Modified: 2017-02-06 22:34 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1398861
Environment:
Last Closed: 2017-02-06 22:34:07 UTC
Type: Bug
theophanis_kontogiannis: needinfo? (extras-qa)

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1398861 0 unspecified CLOSED SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown. 2021-02-22 00:41:40 UTC

Description Theophanis Kontogiannis 2017-02-01 18:31:02 UTC 
Description of problem:

Docker container not allowed to forward X apps to host.

Version-Release number of selected component (if applicable):

F24
docker-1.10.3-55.gite03ddb8.fc24.x86_64

How reproducible:

100%

Steps to Reproduce:
1. docker run -it --rm --net host -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix:rw cyplo/fedora24_base bash
2. firefox 
3. Fails

Actual results:
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0.0

Expected results:
Firefox window on host screen.

Additional info:

AVC MESSAGES----->   
type=AVC msg=audit(1485973652.123:5333): avc:  denied  { connectto } for  pid=24039 comm="firefox" path=002F746D702F2E5831312D756E69782F5830 scontext=system_u:system_r:svirt_lxc_net_t:s0:c234,c845 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


'setenforce=0' makes it work
Comment 1 Daniel Walsh 2017-02-01 18:55:43 UTC 
Allowing a container to access the X Server is basically allowing it to own the machine.  So you might as well turn off SELinux enforcement for this container.

docker run --security-opt label:disable
Comment 2 Theophanis Kontogiannis 2017-02-02 08:49:40 UTC 
Thank you for the quick revert.

Allow me to bring high into everyone's attention that in bug 1398861 the issue was addressed with a patch.

So I do not the reason for providing different solutions for different Fedora versions.
Comment 3 Theophanis Kontogiannis 2017-02-06 10:36:57 UTC 
To take it further, it is my humble belief that the '--security-opt label:disable' suggested solution is more clean and gives more control then anything else.

However it still remains my concern why provide different solutions to different fedora versions.

Something to be considered by QA?

Thank you.
Comment 4 Daniel Walsh 2017-02-06 22:34:07 UTC 
That other bug is totally different, in the other bug the docker engine was running with the wrong context.  In this case you are running a container that you want interacting with your X-Session.
Note You need to log in before you can comment on or make changes to this bug.