Bug 6993 - firefox tabs crash on RHEL 7
Summary: firefox tabs crash on RHEL 7
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Server OS (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.9.0
Assignee: Pierre Ossman
Keywords: relnotes, thomas_tester
Depends on:
Reported: 2017-06-18 12:00 CEST by Pierre Ossman
Modified: 2017-10-09 16:12 CEST (History)
3 users (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2017-06-18 12:00:52 CEST
It is currently impossible to use Firefox on RHEL 7 in the default configuration as the tabs just crash. The cause is some SELinux problem with the content processes and our session folder. Turning off dontaudit reveals these AVC:s:

> type=AVC msg=audit(1497779543.245:5844645): avc:  denied  { write } for  pid=14040 comm="plugin-containe" path="/var/opt/thinlinc/sessions/ossman/1/xinit.log" dev="dm-0" ino=53426598 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:thinlinc_user_t:s0 tclass=file
> type=AVC msg=audit(1497779543.319:5844646): avc:  denied  { search } for  pid=14040 comm="plugin-containe" name="ossman" dev="dm-0" ino=53427253 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thinlinc_user_dir_t:s0 tclass=dir
> type=AVC msg=audit(1497779543.319:5844646): avc:  denied  { search } for  pid=14040 comm="plugin-containe" name="1" dev="dm-0" ino=53427204 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thinlinc_user_t:s0 tclass=dir

Workarounds are:

 - Permissive mode (setenforce 0)
 - Disable e10s in Firefox (browser.tabs.remote.autostart.2 = false)

Could be the same underlying issue for bug 6976.
Comment 1 Pierre Ossman cendio 2017-06-19 13:13:55 CEST
I'm comparing with Fedora (where things work), and I think the issue has to do with Firefox ESR 52 being the only version of Firefox that has both NPAPI and e10s enabled at the same time ("normal" Firefox 52 had NPAPI removed).

On Fedora content processes are firefox processes run as unconfined_t. But on RHEL the content processes are plugin-container running in the restricted mozilla_plugin_t context.

It might have just been dumb luck that things work on a local login as I cannot see any recent changes in the selinux-policy changelog with regards to this.
Comment 2 Pierre Ossman cendio 2017-06-19 13:16:42 CEST
RHEL 6 also has Firefox ESR 52, and are also using plugin-container for content processes. However they are running as unconfined_t there.
Comment 3 Pierre Ossman cendio 2017-06-19 13:25:06 CEST
Comment 4 Pierre Ossman cendio 2017-07-05 10:52:24 CEST
Upstream noted that there is a SELinux boolean that explains part of this. I've added a platform specific note explaining how to change this boolean.
Comment 7 Pierre Ossman cendio 2017-07-05 12:52:59 CEST
Works fine now.

Tester should check that Firefox works fine with:

 - 4.8.0 with the instructions from Platform Specific Notes
 - trunk without any system modifications
Comment 9 Thomas Nilefalk cendio 2017-08-22 14:56:27 CEST
Recreated original problem with Firefox ESR 52.3.0 (64-bit). Platform specific note solved crashing tab.
Comment 10 Thomas Nilefalk cendio 2017-08-22 15:34:03 CEST
The problem does not occur in server 4.8.0post_5541.

The Platform Specific Note could have been easier to find, though. It is easy to miss that you should also look under "SELinux-based distributions" when you are running RHEL and there is a nice icon for that ;-)
Comment 11 Thomas Nilefalk cendio 2017-08-30 16:43:54 CEST
Re-newed testing on karl-188 with 4.8.0post_5541 after restarting the server shows that fix actually does not work.

Also the spam of logs in bug 6976 is still present. Re-opening.

Platform specific note still fixes the problem.

(Probable reason for initial successful testing is a left-over Firefox running when doing the test with 4.8.0post_5541. Note to self: always restart everything between testing scenarios...)
Comment 12 Pierre Ossman cendio 2017-09-01 13:22:25 CEST
I'm unable to reproduce any issues on my machine, or on karl-188. Need more info on when it still fails.
Comment 13 Thomas Nilefalk cendio 2017-09-05 10:01:23 CEST
Could not reproduce this heissenbug...

Note You need to log in before you can comment on or make changes to this bug.