[Bug 1151522] New: AVC when attempting to run X application in container

[bugzilla]

https://bugzilla.redhat.com/show_bug.cgi?id=1151522

            Bug ID: 1151522
           Summary: AVC when attempting to run X application in container
           Product: Fedora
           Version: 20
         Component: docker-io
          Assignee: l...@fedoraproject.org
          Reporter: jpazdzi...@redhat.com
        QA Contact: extras...@fedoraproject.org
                CC: admil...@redhat.com, golang@lists.fedoraproject.org,
                    hushan....@gmail.com, jper...@centos.org,
                    l...@fedoraproject.org, mat...@redhat.com,
                    mgold...@redhat.com, s...@shk.io, thr...@redhat.com,
                    vba...@redhat.com



Description of problem:

I've tried to run Firefox in a container per

http://fabiorehm.com/blog/2014/09/11/running-gui-apps-with-docker/

I get AVC denial

type=AVC msg=audit(1412954368.37:2480): avc:  denied  { write } for  pid=31609
comm="firefox" name="X0" dev="tmpfs" ino=23480
scontext=system_u:system_r:svirt_lxc_net_t:s0:c455,c872
tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1412954368.37:2480): arch=x86_64 syscall=connect
success=no exit=EACCES a0=4 a1=7fff11aa5f30 a2=6e a3=7fff11aa5f32 items=0
ppid=31585 pid=31609 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4294967295 comm=firefox
exe=/usr/lib/firefox/firefox
subj=system_u:system_r:svirt_lxc_net_t:s0:c455,c872 key=(null)

The target socket is /tmp/.X11-unix/X0.

Version-Release number of selected component (if applicable):

docker-io-1.2.0-2.fc20.x86_64
selinux-policy-targeted-3.12.1-183.fc20.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Build image and run container with Firefox per URL above.

Actual results:

Firefox window will not show up, AVC denial filed.

Expected results:

No AVC denial.

Additional info:

I've tried to enable staff_use_svirt and unprivuser_use_svirt to no avail.

When the OS in the container is Fedora 20, the AVC denials are virtually the
same:

type=AVC msg=audit(1412951077.986:2362): avc:  denied  { write } for  pid=16877
comm="firefox" name="X0" dev="tmpfs" ino=23480
scontext=system_u:system_r:svirt_lxc_net_t:s0:c260,c542
tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1412951077.986:2362): arch=x86_64 syscall=connect
success=no exit=EACCES a0=4 a1=7fffb0ceb820 a2=6e a3=7fffb0ceb822 items=0
ppid=12821 pid=16877 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm=firefox
exe=/usr/lib64/firefox/firefox
subj=system_u:system_r:svirt_lxc_net_t:s0:c260,c542 key=(null)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
golang mailing list
golang@lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/golang