www.cendio.com

Bug 6993

Summary: firefox tabs crash on RHEL 7
Product: ThinLinc Reporter: Pierre Ossman <ossman@cendio.se>
Component: Server OSAssignee: Pierre Ossman <ossman@cendio.se>
Status: CLOSED FIXED QA Contact: Bugzilla mail exporter <bugzilla-qa@cendio.se>
Severity: Normal    
Priority: P2 CC: hean01@cendio.se, samuel@cendio.se, thoni56@cendio.se
Version: trunkKeywords: relnotes, thomas_tester
Target Milestone: 4.9.0   
Hardware: PC   
OS: Unknown   
Acceptance Criteria:

Description From cendio 2017-06-18 12:00:52
It is currently impossible to use Firefox on RHEL 7 in the default
configuration as the tabs just crash. The cause is some SELinux problem with
the content processes and our session folder. Turning off dontaudit reveals
these AVC:s:

> type=AVC msg=audit(1497779543.245:5844645): avc:  denied  { write } for  pid=14040 comm="plugin-containe" path="/var/opt/thinlinc/sessions/ossman/1/xinit.log" dev="dm-0" ino=53426598 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:thinlinc_user_t:s0 tclass=file
> type=AVC msg=audit(1497779543.319:5844646): avc:  denied  { search } for  pid=14040 comm="plugin-containe" name="ossman" dev="dm-0" ino=53427253 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thinlinc_user_dir_t:s0 tclass=dir
> type=AVC msg=audit(1497779543.319:5844646): avc:  denied  { search } for  pid=14040 comm="plugin-containe" name="1" dev="dm-0" ino=53427204 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thinlinc_user_t:s0 tclass=dir

Workarounds are:

 - Permissive mode (setenforce 0)
 - Disable e10s in Firefox (browser.tabs.remote.autostart.2 = false)

Could be the same underlying issue for bug 6976.
------- Comment #1 From cendio 2017-06-19 13:13:55 -------
I'm comparing with Fedora (where things work), and I think the issue has to do
with Firefox ESR 52 being the only version of Firefox that has both NPAPI and
e10s enabled at the same time ("normal" Firefox 52 had NPAPI removed).

On Fedora content processes are firefox processes run as unconfined_t. But on
RHEL the content processes are plugin-container running in the restricted
mozilla_plugin_t context.

It might have just been dumb luck that things work on a local login as I cannot
see any recent changes in the selinux-policy changelog with regards to this.
------- Comment #2 From cendio 2017-06-19 13:16:42 -------
RHEL 6 also has Firefox ESR 52, and are also using plugin-container for content
processes. However they are running as unconfined_t there.
------- Comment #3 From cendio 2017-06-19 13:25:06 -------
https://bugzilla.redhat.com/show_bug.cgi?id=1462707
------- Comment #4 From cendio 2017-07-05 10:52:24 -------
Upstream noted that there is a SELinux boolean that explains part of this. I've
added a platform specific note explaining how to change this boolean.
------- Comment #7 From cendio 2017-07-05 12:52:59 -------
Works fine now.

Tester should check that Firefox works fine with:

 - 4.8.0 with the instructions from Platform Specific Notes
 - trunk without any system modifications
------- Comment #9 From cendio 2017-08-22 14:56:27 -------
Recreated original problem with Firefox ESR 52.3.0 (64-bit). Platform specific
note solved crashing tab.
------- Comment #10 From cendio 2017-08-22 15:34:03 -------
The problem does not occur in server 4.8.0post_5541.

The Platform Specific Note could have been easier to find, though. It is easy
to miss that you should also look under "SELinux-based distributions" when you
are running RHEL and there is a nice icon for that ;-)
------- Comment #11 From cendio 2017-08-30 16:43:54 -------
Re-newed testing on karl-188 with 4.8.0post_5541 after restarting the server
shows that fix actually does not work.

Also the spam of logs in bug 6976 is still present. Re-opening.

Platform specific note still fixes the problem.

(Probable reason for initial successful testing is a left-over Firefox running
when doing the test with 4.8.0post_5541. Note to self: always restart
everything between testing scenarios...)
------- Comment #12 From cendio 2017-09-01 13:22:25 -------
I'm unable to reproduce any issues on my machine, or on karl-188. Need more
info on when it still fails.
------- Comment #13 From cendio 2017-09-05 10:01:23 -------
Could not reproduce this heissenbug...