Linux – SELinux and docker: allow access to X unix socket in /tmp/.X11-unix

How to allow access to a particular X unix socket for a particular docker container with SELinux enabled?
I prefer a solution with a setup of docker run --security-opt.

On fedora 25, I found the docker daemon running with--selinux-enabled per default.
Access to shared files from host with --volume is denied. Access can be allowed setting the flag z. Example: --volume $HOME:$HOME:rw,z. This works for regular files so far.

Compare atomic blog: Using Volumes with Docker can Cause Problems with SELinux

The z flag is not enough to allow connections to an X unix socket.

Solutions found so far:

disabling SELinux restrictions for the particular container with docker run option --security-opt label=disable. Pro: This is easy, works fine, and I don't need to change SELinux policies on host. Contra: SELinux protections for this one container are disabled at all. (So far, the best solution)
Setting docker run option --ipc=host. Pro: simple, works, SELinux stays enabled, no policy changes needed. Contra: Disables IPC namespacing, thus opening another security issue and reducing container isolation.
Creating a SELinux policy with suggested ausearch -c 'xfce4-about' --raw | audit2allow -M my-xfce4about. The created module is cited below. Pro: It works. Contra: All containers have access to all X unix sockets forever, and I have to change SELinux policies. (So far, the worst solution).

I am searching for a solution fulfilling this criteria:

Allow one particular container access to one particular X unix socket. (Multiple applications in same container are possible).
Do not change SELinux policy on host.

Acceptable minor solutions I can imagine:

changing file attributes of particular X unix socket to allow arbitrary container access.
allowing arbitrary X sockets, but only to one particular container.

I hope for a solution that can be done with docker run --security-opt.

Module suggested by SELinux:

module my-xfce4about 1.0;
require {
    type container_t;
    type xserver_t;
    class unix_stream_socket connectto;
}
#============= container_t ==============

#!!!! The file '/tmp/.X11-unix/X0' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /tmp/.X11-unix/X0
allow container_t xserver_t:unix_stream_socket connectto;

AVC example:
A container application (here: xfce4-about) tries to access an X unix socket /tmp/.X11-unix/X100. The socket file is shared with --volume=/tmp/.X11-unix/X100:/tmp/.X11-unix/X100:rw,z. I get this SELinux warning:

SELinux is preventing xfce4-about from connectto access on 
the unix_stream_socket /tmp/.X11-unix/X100.

*****  Plugin catchall (100. confidence) suggests   **************************
If sie denken, dass es xfce4-about standardmäßig erlaubt sein sollte,
connectto Zugriff auf X100 unix_stream_socket zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do allow this access for now by executing:
# ausearch -c 'xfce4-about' --raw | audit2allow -M my-xfce4about
# semodule -X 300 -i my-xfce4about.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c231,c522
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023
Target Objects                /tmp/.X11-unix/X100 [ unix_stream_socket ]
Source                        xfce4-about
Source Path                   xfce4-about
Port                          <Unbekannt>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.19.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                          4.11.12-200.fc25.x86_64 #1 SMP Fri Jul 21 16:41:43
                          UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-08-17 20:08:13 CEST
Last Seen                     2017-08-17 20:08:13 CEST
Local ID                      b73182b3-ce4f-4507-a821-ad12ae2bc690

Raw Audit Messages
type=AVC msg=audit(1502993293.76:374): avc:  denied  { connectto } for pid=5435
comm="xfce4-about" path="/tmp/.X11-unix/X100"       
scontext=system_u:system_r:container_t:s0:c231,c522 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tclass=unix_stream_socket permissive=0

Hash: xfce4-about,container_t,unconfined_t,unix_stream_socket,connectto

Best Answer

I found a partial solution: docker run option --security-opt label=type:container_runtime_t allows access to X unix sockets. It is not needed to disable SELinux in container at all.

From what I understand in the docker policy source, label container_runtime_t allows a lot of privileges, much more than intended.

I still hope for a more restrictive solution.

Best Answer

Related Solutions

Linux – SELinux denied access

Don’t allow docker internet access

Related Question