How to run a GUI app in a podman container

I’m trying to run a GUI application inside a rootless podman container.

There are many instructions for how to do this, but most require running as root, using docker, neither of which is a viable option for me. I’m running x11 instead of wayland (not just sure why that is, but that’s for another day) and I’d like to make the combination as reasonably secure as possible.

Here’s what I have so far that seems to have come closest:

podman run -it --rm -v $XAUTHORITY:$XAUTHORITY:ro -v /tmp/.X11-unix:/tmp/.X11-unix:Z --userns keep-id -e "DISPLAY" x11test:latest xeyes

This does not result in an SELINUX exception and there is no error in the logs, but it fails with the message:

Error: lsetxattr /tmp/.X11-unix: operation not permitted

If I instead change the permissions on the /tmp/.X11-unix directory to read only, like this:

podman run -it --rm -v $XAUTHORITY:$XAUTHORITY:ro -v /tmp/.X11-unix:/tmp/.X11-unix:ro --userns keep-id -e "DISPLAY" x11test:latest xeyes

I do get a SELINUX exception and it advises me in the report that if I want to allow xeyesaccess to the X1 sock file, I should execute:

ausearch -c 'xeyes' --raw | audit2allow -M my-xeyes
semodule -X 300 -i my-xeyes.pp

However, that doesn’t work either. Trying the first line (as root) gives me this error:

compilation failed:
my-xeyes.te:16:ERROR 'syntax error' at token 'mlsconstrain' on line 16:
mlsconstrain sock_file { write setattr } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
#	mlsconstrain sock_file { ioctl read getattr } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
/usr/bin/checkmodule:  error(s) encountered while parsing configuration

Can someone advise how I can do this without blowing a big hole in my security?

Where is the x11test image from?

I created it. It’s a very basic addition to a stock Ubuntu image: Here’s the Dockerfile I created:

FROM ubuntu:latest
RUN apt update && apt -y install x11-apps

I put this in an otherwise empty directory and then created the image like so:
podman build -t x11test .

If you don’t absolutely need to use plain podman, I would advice to use distrobox (that in short it is a wrapper around podman)

(It is now in the Fedora repository, no need to use the COPR one anymore)

Can you run xeyes within x11test from Distrobox?

I’m not sure if this answers your question since it’s with Wayland and not x11, but it looks like there was a previous solution to running a graphical container with podman here: https://discussion.fedoraproject.org/t/how-can-i-create-a-container-with-podman-that-runs-graphical-application-in-isolation-from-the-file-system/73520/3

It seems the special sauce there was --env DISPLAY --security-opt label=type:container_runtime_t

With distrobox you can use Ubuntu, and run graphical applications inside it.

[user@fedora ~]$ distrobox create -n ubuntu -i docker.io/library/ubuntu:22.04
Image docker.io/library/ubuntu:22.04 not found.
Do you want to pull the image now? [y/N]: y

[user@fedora ~]$ distrobox-enter --name ubuntu

user@ubuntu:~$ sudo apt install x11-apps

user@ubuntu:~$ xeyes

de6e01cca00189fb3d9f5277b633c5229bfce06e.png862×446 11.5 KB

That’s it! Thank you! Here’s the final version of the command I used:

podman run -it --rm -v $XAUTHORITY:$XAUTHORITY:ro -v /tmp/.X11-unix:/tmp/.X11-unix:ro --userns keep-id -e "DISPLAY" --security-opt label=type:container_runtime_t x11test:latest xeyes

I haven’t tried trimming that to eliminate things that aren’t needed, but I’m happy with this.

Thanks for this, I will definitely look into distrobox.