It is currently impossible to use Firefox on RHEL 7 in the default configuration as the tabs just crash. The cause is some SELinux problem with the content processes and our session folder. Turning off dontaudit reveals these AVC:s: > type=AVC msg=audit(1497779543.245:5844645): avc: denied { write } for pid=14040 comm="plugin-containe" path="/var/opt/thinlinc/sessions/ossman/1/xinit.log" dev="dm-0" ino=53426598 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:thinlinc_user_t:s0 tclass=file > type=AVC msg=audit(1497779543.319:5844646): avc: denied { search } for pid=14040 comm="plugin-containe" name="ossman" dev="dm-0" ino=53427253 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thinlinc_user_dir_t:s0 tclass=dir > type=AVC msg=audit(1497779543.319:5844646): avc: denied { search } for pid=14040 comm="plugin-containe" name="1" dev="dm-0" ino=53427204 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thinlinc_user_t:s0 tclass=dir Workarounds are: - Permissive mode (setenforce 0) - Disable e10s in Firefox (browser.tabs.remote.autostart.2 = false) Could be the same underlying issue for bug 6976.
I'm comparing with Fedora (where things work), and I think the issue has to do with Firefox ESR 52 being the only version of Firefox that has both NPAPI and e10s enabled at the same time ("normal" Firefox 52 had NPAPI removed). On Fedora content processes are firefox processes run as unconfined_t. But on RHEL the content processes are plugin-container running in the restricted mozilla_plugin_t context. It might have just been dumb luck that things work on a local login as I cannot see any recent changes in the selinux-policy changelog with regards to this.
RHEL 6 also has Firefox ESR 52, and are also using plugin-container for content processes. However they are running as unconfined_t there.
https://bugzilla.redhat.com/show_bug.cgi?id=1462707
Upstream noted that there is a SELinux boolean that explains part of this. I've added a platform specific note explaining how to change this boolean.
Works fine now. Tester should check that Firefox works fine with: - 4.8.0 with the instructions from Platform Specific Notes - trunk without any system modifications
Recreated original problem with Firefox ESR 52.3.0 (64-bit). Platform specific note solved crashing tab.
The problem does not occur in server 4.8.0post_5541. The Platform Specific Note could have been easier to find, though. It is easy to miss that you should also look under "SELinux-based distributions" when you are running RHEL and there is a nice icon for that ;-)
Re-newed testing on karl-188 with 4.8.0post_5541 after restarting the server shows that fix actually does not work. Also the spam of logs in bug 6976 is still present. Re-opening. Platform specific note still fixes the problem. (Probable reason for initial successful testing is a left-over Firefox running when doing the test with 4.8.0post_5541. Note to self: always restart everything between testing scenarios...)
I'm unable to reproduce any issues on my machine, or on karl-188. Need more info on when it still fails.
Could not reproduce this heissenbug...
