[GH-ISSUE #2027] Can't run firefox, chromium through firejail. #1364

New issue

Closed

opened 2026-05-05 07:55:50 -06:00 by gitea-mirror · 32 comments

gitea-mirror commented 2026-05-05 07:55:50 -06:00

Owner

Copy link

Originally created by @ghost on GitHub (Jul 5, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2027

Hi guys,
Im using firejail version 0.9.54 on openSUSE Leap 15`

$ firejail --version
Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- bind support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled`

I can't seem to run firefox or chromium with firejail. I get this error

"Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set."
However vlc, gwenview runs okay.

Here is the full output

firejail chromium
Reading profile /usr/local/etc/firejail/chromium.profile
Reading profile /usr/local/etc/firejail/chromium-common.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 25304, child pid 25305
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 52.78 ms
No protocol specified
No protocol specified

(chromium:4):

Gtk-WARNING **: cannot open display: :0

Parent is shutting down, bye...

I have tried using the firejail LTS version but no luck.
Some of other methods i tried are from this post:
https://github.com/netblue30/firejail/issues/1885

I did sudo firecfg --clean + firejail chromium: and still no luck.

Any idea how I should proceed?

Originally created by @ghost on GitHub (Jul 5, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2027 Hi guys, Im using firejail version 0.9.54 on openSUSE Leap 15` > $ firejail --version Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled` I can't seem to run firefox or chromium with firejail. I get this error "Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set." However vlc, gwenview runs okay. Here is the full output >firejail chromium Reading profile /usr/local/etc/firejail/chromium.profile Reading profile /usr/local/etc/firejail/chromium-common.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Parent pid 25304, child pid 25305 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Child process initialized in 52.78 ms No protocol specified No protocol specified (chromium:4): Gtk-WARNING **: cannot open display: :0 Parent is shutting down, bye... I have tried using the firejail LTS version but no luck. Some of other methods i tried are from this post: https://github.com/netblue30/firejail/issues/1885 I did sudo firecfg --clean + firejail chromium: and still no luck. Any idea how I should proceed?

gitea-mirror closed this issue 2026-05-05 07:55:51 -06:00

gitea-mirror commented 2026-05-05 07:55:52 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Jul 5, 2018):

What happens with firejail --noprofile chromium or firejail --noprofile firefox?

<!-- gh-comment-id:402754960 --> @Fred-Barclay commented on GitHub (Jul 5, 2018): What happens with `firejail --noprofile chromium` or `firejail --noprofile firefox`?

gitea-mirror commented 2026-05-05 07:55:53 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 6, 2018):

@Fred-Barclay Chromium and Firefox does run but its I can access files from the browser "file:///home/user/"
So i guess its not sandboxed?

<!-- gh-comment-id:402906447 --> @ghost commented on GitHub (Jul 6, 2018): @Fred-Barclay Chromium and Firefox does run but its I can access files from the browser "file:///home/user/" So i guess its not sandboxed?

gitea-mirror commented 2026-05-05 07:55:54 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 8, 2018):

@OMslaw04 Yeah, that's the point of the --noprofile. So it seems as though (from the errors in your original post) that chromium doesn't have access to the X11 display (the line Gtk-WARNING **: cannot open display: :0). Are you using the default profiles? If not, can you post your profile?

Also, another way to debug is to go through the profile and comment out specific lines to see what breaks chromium (and/or firefox).

<!-- gh-comment-id:403318348 --> @chiraag-nataraj commented on GitHub (Jul 8, 2018): @OMslaw04 Yeah, that's the point of the `--noprofile`. So it seems as though (from the errors in your original post) that chromium doesn't have access to the X11 display (the line `Gtk-WARNING **: cannot open display: :0`). Are you using the default profiles? If not, can you post your profile? Also, another way to debug is to go through the profile and comment out specific lines to see what breaks chromium (and/or firefox).

gitea-mirror commented 2026-05-05 07:55:56 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 9, 2018):

@chiraag-nataraj thanks for the tip on debugging. I will test on that.

Yes i am using default profile as shown below.

# Firejail profile for chromium
# This file is overwritten after every install/update
# Persistent local customizations
include /usr/local/etc/firejail/chromium.local
# Persistent global definitions
include /usr/local/etc/firejail/globals.local

noblacklist ${HOME}/.cache/chromium
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/chromium-flags.conf

mkdir ${HOME}/.cache/chromium
mkdir ${HOME}/.config/chromium
whitelist ${HOME}/.cache/chromium
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf

# private-bin chromium,chromium-browser,chromedriver

# Redirect
include /usr/local/etc/firejail/chromium-common.profile

<!-- gh-comment-id:403372439 --> @ghost commented on GitHub (Jul 9, 2018): @chiraag-nataraj thanks for the tip on debugging. I will test on that. Yes i am using default profile as shown below. > # Firejail profile for chromium # This file is overwritten after every install/update # Persistent local customizations include /usr/local/etc/firejail/chromium.local # Persistent global definitions include /usr/local/etc/firejail/globals.local noblacklist ${HOME}/.cache/chromium noblacklist ${HOME}/.config/chromium noblacklist ${HOME}/.config/chromium-flags.conf mkdir ${HOME}/.cache/chromium mkdir ${HOME}/.config/chromium whitelist ${HOME}/.cache/chromium whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium-flags.conf # private-bin chromium,chromium-browser,chromedriver # Redirect include /usr/local/etc/firejail/chromium-common.profile

gitea-mirror commented 2026-05-05 07:55:59 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 9, 2018):

One thing you can also try is using the chromium profile that I use. Keep in mind that for various reasons, you should either comment out private-bin or run chromium as firejail /usr/lib/chromium/chromium. Also, note that to install this profile, simply copy both files to ~/.config/firejail/ and rename them to chromium.profile and common.inc respectively.

chromium.txt
common.txt

<!-- gh-comment-id:403452061 --> @chiraag-nataraj commented on GitHub (Jul 9, 2018): One thing you can also try is using the `chromium` profile that I use. Keep in mind that for various reasons, you should either comment out `private-bin` or run `chromium` as `firejail /usr/lib/chromium/chromium`. Also, note that to install this profile, simply copy both files to `~/.config/firejail/` and rename them to `chromium.profile` and `common.inc` respectively. [chromium.txt](https://github.com/netblue30/firejail/files/2175966/chromium.txt) [common.txt](https://github.com/netblue30/firejail/files/2175967/common.txt)

gitea-mirror commented 2026-05-05 07:56:02 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 11, 2018):

@OMslaw04 Were you able to debug the profile to see what was breaking (or use the profile I provided)?

<!-- gh-comment-id:404327203 --> @chiraag-nataraj commented on GitHub (Jul 11, 2018): @OMslaw04 Were you able to debug the profile to see what was breaking (or use the profile I provided)?

gitea-mirror commented 2026-05-05 07:56:03 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 13, 2018):

@chiraag-nataraj here is the result with the two files coped to ~/.config/firejail

$ firejail chromium

Reading profile /home/ohms/.config/firejail/chromium.profile
Reading profile /home/ohms/.config/firejail/common.inc
Parent pid 21703, child pid 21704
Warning: skipping chromium.d for private /etc
Private /etc installed in 14.09 ms
Warning: skipping emp for private /opt
Private /opt installed in 0.04 ms
11 programs installed in 12.64 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 36.31 ms

Parent is shutting down, bye...

So if i were to comment the private bin line I have issue accessing to the X11 files
error:
(chromium:9): Gtk-WARNING **: cannot open display: :0

on the other hand if i uncomment I get this.
Reading profile /home/ohms/.config/firejail/chromium.profile
Reading profile /home/ohms/.config/firejail/common.inc
Parent pid 22080, child pid 22081
Warning: skipping chromium.d for private /etc
Private /etc installed in 15.19 ms
Warning: skipping emp for private /opt
Private /opt installed in 0.04 ms
11 programs installed in 13.05 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 39.13 ms

Parent is shutting down, bye...

I also had to comment nou2ffrom common.inc
I tried commenting line by line in common.inc but I get this error
Reading profile /home/ohms/.config/firejail/chromium.profile
Reading profile /home/ohms/.config/firejail/common.inc
Error: line 22 in /home/ohms/.config/firejail/common.inc is invalid
which I don't think is the way to go.

<!-- gh-comment-id:404719594 --> @ghost commented on GitHub (Jul 13, 2018): @chiraag-nataraj here is the result with the two files coped to ~/.config/firejail > $ firejail chromium > Reading profile /home/ohms/.config/firejail/chromium.profile Reading profile /home/ohms/.config/firejail/common.inc Parent pid 21703, child pid 21704 Warning: skipping chromium.d for private /etc Private /etc installed in 14.09 ms Warning: skipping emp for private /opt Private /opt installed in 0.04 ms 11 programs installed in 12.64 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Child process initialized in 36.31 ms > Parent is shutting down, bye... So if i were to comment the `private bin` line I have issue accessing to the X11 files error: `(chromium:9): Gtk-WARNING **: cannot open display: :0` on the other hand if i uncomment I get this. `Reading profile /home/ohms/.config/firejail/chromium.profile` `Reading profile /home/ohms/.config/firejail/common.inc` `Parent pid 22080, child pid 22081` `Warning: skipping chromium.d for private /etc` `Private /etc installed in 15.19 ms` `Warning: skipping emp for private /opt` `Private /opt installed in 0.04 ms` `11 programs installed in 13.05 ms` `Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.` `Child process initialized in 39.13 ms` `Parent is shutting down, bye...` I also had to comment `nou2f`from `common.inc` I tried commenting line by line in `common.inc` but I get this error `Reading profile /home/ohms/.config/firejail/chromium.profile` `Reading profile /home/ohms/.config/firejail/common.inc` `Error: line 22 in /home/ohms/.config/firejail/common.inc is invalid` which I don't think is the way to go.

gitea-mirror commented 2026-05-05 07:56:05 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 13, 2018):

here is the result with the two files copied to ~/.config/firejail

Can you use firejail --debug chromium and either post or attach the output (if the output is really long, please attach it as a separate file!).

I also had to comment nou2f from common.inc

Oh yeah sorry about that - I added nou2f in master and forgot that it's not in 0.9.54 😜

<!-- gh-comment-id:404839579 --> @chiraag-nataraj commented on GitHub (Jul 13, 2018): > here is the result with the two files copied to ~/.config/firejail Can you use `firejail --debug chromium` and either post or attach the output (if the output is really long, please attach it as a separate file!). > I also had to comment nou2f from common.inc Oh yeah sorry about that - I added `nou2f` in `master` and forgot that it's not in `0.9.54` :stuck_out_tongue_winking_eye:

gitea-mirror commented 2026-05-05 07:56:09 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 19, 2018):

@chiraag-nataraj https://pastebin.com/Pn7kJsiT here is the output for firejail --debug chromium

<!-- gh-comment-id:406185368 --> @ghost commented on GitHub (Jul 19, 2018): @chiraag-nataraj https://pastebin.com/Pn7kJsiT here is the output for `firejail --debug chromium`

gitea-mirror commented 2026-05-05 07:56:10 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 21, 2018):

Can you run firejail --debug with private-bin commented (so that we get the cannot open display: :0 error along with firejail's debug output)?

<!-- gh-comment-id:406819726 --> @chiraag-nataraj commented on GitHub (Jul 21, 2018): Can you run `firejail --debug` with `private-bin` commented (so that we get the `cannot open display: :0` error along with firejail's debug output)?

gitea-mirror commented 2026-05-05 07:56:12 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 25, 2018):

https://pastebin.com/8P0AQ3wG
here is the output to firejail --debug with private-bin commented @chiraag-nataraj

<!-- gh-comment-id:407616743 --> @ghost commented on GitHub (Jul 25, 2018): https://pastebin.com/8P0AQ3wG here is the output to `firejail --debug` with `private-bin` commented @chiraag-nataraj

gitea-mirror commented 2026-05-05 07:56:15 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 25, 2018):

Yeah, this is really weird. Let's ignore the profile I gave you for the moment and go back to the default profile (the one you were using). Can you go through and comment stuff until it works? That might give us a good idea of where to get started in terms of finding the issue.

<!-- gh-comment-id:407913535 --> @chiraag-nataraj commented on GitHub (Jul 25, 2018): Yeah, this is really weird. Let's ignore the profile I gave you for the moment and go back to the default profile (the one you were using). Can you go through and comment stuff until it works? That might give us a good idea of where to get started in terms of finding the issue.

gitea-mirror commented 2026-05-05 07:56:16 -06:00

Author

Owner

Copy link

@chewblacka commented on GitHub (Jul 27, 2018):

Hi just posting to say I am also running Open Suse Leap 15.0 and firefox in firejail was working fine up until a week or so ago. But now for some reason it conks out with Permission Denied:
https://pastebin.com/cKXTt49X
firejail --debug firefox gives the following:
https://pastebin.com/HDb9bybF
firejail --noprofile firefox works but unsandboxed (as expected).

<!-- gh-comment-id:408510287 --> @chewblacka commented on GitHub (Jul 27, 2018): Hi just posting to say I am also running Open Suse Leap 15.0 and firefox in firejail was working fine up until a week or so ago. But now for some reason it conks out with `Permission Denied`: https://pastebin.com/cKXTt49X `firejail --debug firefox` gives the following: https://pastebin.com/HDb9bybF `firejail --noprofile firefox` works but unsandboxed (as expected).

gitea-mirror commented 2026-05-05 07:56:17 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Jul 27, 2018):

To confirm @chewblacka and @OMslaw04 you both installed from git/make install, yes?

<!-- gh-comment-id:408512625 --> @SkewedZeppelin commented on GitHub (Jul 27, 2018): To confirm @chewblacka and @OMslaw04 you both installed from git/make install, yes?

gitea-mirror commented 2026-05-05 07:56:18 -06:00

Author

Owner

Copy link

@chewblacka commented on GitHub (Jul 27, 2018):

@SkewedZeppelin I initially installed 0.9.55 from git with ./configure --enable-apparmor and that was working fine with firefox until it stopped working a few days ago. Then today I installed 0.9.54 from tarball again using --enable-apparmor and make but the problem persists. Other things (e.g. virtualbox, okular) are working fine with firejail.

<!-- gh-comment-id:408516466 --> @chewblacka commented on GitHub (Jul 27, 2018): @SkewedZeppelin I initially installed 0.9.55 from git with `./configure --enable-apparmor` and that was working fine with firefox until it stopped working a few days ago. Then today I installed 0.9.54 from tarball again using `--enable-apparmor` and `make` but the problem persists. Other things (e.g. virtualbox, okular) are working fine with firejail.

gitea-mirror commented 2026-05-05 07:56:22 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 1, 2018):

@chiraag-nataraj
chromiumprofile.txt

So this is my default profile.

I tried commenting every line and run firejail chromium
I would always get

Reading profile /usr/local/etc/firejail/chromium.profile
Reading profile /usr/local/etc/firejail/chromium-common.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 24824, child pid 24825
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
directory resolved as "Downloads"
Child process initialized in 61.88 ms
No protocol specified
No protocol specified

(chromium:4): Gtk-WARNING **: cannot open display: :0

Parent is shutting down, bye...

All of these can't seem to fetch the display.
By default line 18 #private-bin chromium,chromium-browser,chromedriver is commented.
If i were to uncomment I would end up with

Reading profile /usr/local/etc/firejail/chromium.profile
Reading profile /usr/local/etc/firejail/chromium-common.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 24813, child pid 24814
1 program installed in 1.49 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
directory resolved as "Downloads"
Child process initialized in 42.08 ms

Parent is shutting down, bye...

I am so clueless right now.

@SkewedZeppelin yes correct.

<!-- gh-comment-id:409509777 --> @ghost commented on GitHub (Aug 1, 2018): @chiraag-nataraj [chromiumprofile.txt](https://github.com/netblue30/firejail/files/2248807/chromiumprofile.txt) So this is my default profile. I tried commenting every line and run `firejail chromium` I would always get > Reading profile /usr/local/etc/firejail/chromium.profile Reading profile /usr/local/etc/firejail/chromium-common.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Parent pid 24824, child pid 24825 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. directory resolved as "Downloads" Child process initialized in 61.88 ms No protocol specified No protocol specified > (chromium:4): Gtk-WARNING **: cannot open display: :0 > Parent is shutting down, bye... All of these can't seem to fetch the display. By default line 18 `#private-bin chromium,chromium-browser,chromedriver` is commented. If i were to uncomment I would end up with >Reading profile /usr/local/etc/firejail/chromium.profile Reading profile /usr/local/etc/firejail/chromium-common.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Parent pid 24813, child pid 24814 1 program installed in 1.49 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. directory resolved as "Downloads" Child process initialized in 42.08 ms >Parent is shutting down, bye... I am so clueless right now. @SkewedZeppelin yes correct.

gitea-mirror commented 2026-05-05 07:56:23 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 1, 2018):

@OMslaw04 So if you comment out everything in chromium.profile, it still doesn't run? That should be the same as --noprofile though.

If commenting out all lines works, can you go through and slowly uncomment particular lines (or groups of lines if necessary - e.g. whitelists) to see what breaks it?

<!-- gh-comment-id:409547388 --> @chiraag-nataraj commented on GitHub (Aug 1, 2018): @OMslaw04 So if you comment out _everything_ in `chromium.profile`, it still doesn't run? That should be the same as `--noprofile` though. If commenting out _all_ lines works, can you go through and slowly uncomment particular lines (or groups of lines if necessary - e.g. whitelists) to see what breaks it?

gitea-mirror commented 2026-05-05 07:56:24 -06:00

Author

Owner

Copy link

@chewblacka commented on GitHub (Aug 1, 2018):

Mods, should I carry on posting in this thread or start my own thread?
I've discovered that if I compile firejail without apparmor support firefox works, so apparmor seems to be the issue. Is it possible that an update to OpenSuse Leap borked something?

Speaking of apparmor do I need to run:
aa-enforce firejail-default
because when I do I get the error:
Setting /etc/apparmor.d/firejail-default to enfoce mode.
ERROR: Path doesn't start with / or variable: firejail-default

<!-- gh-comment-id:409742541 --> @chewblacka commented on GitHub (Aug 1, 2018): Mods, should I carry on posting in this thread or start my own thread? I've discovered that if I compile firejail without apparmor support firefox works, so apparmor seems to be the issue. Is it possible that an update to OpenSuse Leap borked something? Speaking of apparmor do I need to run: `aa-enforce firejail-default` because when I do I get the error: `Setting /etc/apparmor.d/firejail-default to enfoce mode.` `ERROR: Path doesn't start with / or variable: firejail-default`

gitea-mirror commented 2026-05-05 07:56:27 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 6, 2018):

@chewblacka I had the same issue, and a reboot fixed it (I suspect it has to do with an apparmor upgrade). Can you try sudo aa-disable firefox? If you check your logs, you'll probably see something like apparmor blocking firejail from applying certain things because of the firefox apparmor profile (e.g. nonewprivs).

<!-- gh-comment-id:410695247 --> @chiraag-nataraj commented on GitHub (Aug 6, 2018): @chewblacka I had the same issue, and a reboot fixed it (I suspect it has to do with an apparmor upgrade). Can you try `sudo aa-disable firefox`? If you check your logs, you'll probably see something like `apparmor` blocking `firejail` from applying certain things because of the `firefox` apparmor profile (e.g. `nonewprivs`).

gitea-mirror commented 2026-05-05 07:56:28 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 6, 2018):

@OMslaw04 What is the result when you comment out everything in chromium.profile?

<!-- gh-comment-id:410695495 --> @chiraag-nataraj commented on GitHub (Aug 6, 2018): @OMslaw04 What is the result when you comment out _everything_ in `chromium.profile`?

gitea-mirror commented 2026-05-05 07:56:29 -06:00

Author

Owner

Copy link

@chewblacka commented on GitHub (Aug 6, 2018):

thanks @chiraag-nataraj, are you using openSUSE too?
It is definitely to do with apparmor (most likely an upgrade as you say). I compiled firejail without apparmor support and it worked fine. So I recompiled firejail with apparmor support and have added the noapparmor option in the firejail firefox conf. Everything is working ok now.

<!-- gh-comment-id:410838864 --> @chewblacka commented on GitHub (Aug 6, 2018): thanks @chiraag-nataraj, are you using openSUSE too? It is definitely to do with apparmor (most likely an upgrade as you say). I compiled firejail without apparmor support and it worked fine. So I recompiled firejail with apparmor support and have added the noapparmor option in the firejail firefox conf. Everything is working ok now.

gitea-mirror commented 2026-05-05 07:56:30 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 7, 2018):

@chewblacka Good to hear. Nope, I'm using Debian sid/experimental, but I have a more "standard" Debian VM which enabled apparmor by default, and I ran into some of these issues.

<!-- gh-comment-id:410924759 --> @chiraag-nataraj commented on GitHub (Aug 7, 2018): @chewblacka Good to hear. Nope, I'm using Debian sid/experimental, but I have a more "standard" Debian VM which enabled apparmor by default, and I ran into some of these issues.

gitea-mirror commented 2026-05-05 07:56:34 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 9, 2018):

@chiraag-nataraj with everything commented it runs. Like you said it runs like --noprofile
@chewblacka I am on OpenSUSE Leap 15 too, I complied with AppArmour and still no luck.

<!-- gh-comment-id:411643615 --> @ghost commented on GitHub (Aug 9, 2018): @chiraag-nataraj with everything commented it runs. Like you said it runs like `--noprofile` @chewblacka I am on OpenSUSE Leap 15 too, I complied with AppArmour and still no luck.

gitea-mirror commented 2026-05-05 07:56:36 -06:00

Author

Owner

Copy link

@uli13 commented on GitHub (Aug 11, 2018):

I am an openSUSE user too. FIrejail works in Tumbleweed but not in LEAP15 with the same output:
Gtk-WARNING **: cannot open display: :0
and for firefox
Unable to init server: Could not connect: Connection refused Error: cannot open display: :0
I am using firejail 0.9.54 and it works with --noprofile. I use the standard profile but I commented out apparmor that made firejail work in Tumbleweed but had no effect in Leap15.
The command aa-disable firefox Profile for /usr/lib64/firefox/firefox.sh not found, skipping
Similar for chromium. Any help is appreciated

<!-- gh-comment-id:412243582 --> @uli13 commented on GitHub (Aug 11, 2018): I am an openSUSE user too. FIrejail works in Tumbleweed but not in LEAP15 with the same output: `Gtk-WARNING **: cannot open display: :0 ` and for firefox `Unable to init server: Could not connect: Connection refused Error: cannot open display: :0` I am using firejail 0.9.54 and it works with `--noprofile`. I use the standard profile but I commented out apparmor that made firejail work in Tumbleweed but had no effect in Leap15. The command `aa-disable firefox Profile for /usr/lib64/firefox/firefox.sh not found, skipping` Similar for chromium. Any help is appreciated

gitea-mirror commented 2026-05-05 07:56:37 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 12, 2018):

@OMslaw04 Okay. Now go through and re-enable stuff until it breaks. That's how we can figure out what is breaking it.

<!-- gh-comment-id:412350163 --> @chiraag-nataraj commented on GitHub (Aug 12, 2018): @OMslaw04 Okay. Now go through and re-enable stuff until it breaks. That's how we can figure out _what_ is breaking it.

gitea-mirror commented 2026-05-05 07:56:40 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Aug 14, 2018):

For people with issues on OpenSuse Leap 15 and apparmor, can you try if this fix works for you?

<!-- gh-comment-id:413042395 --> @Vincent43 commented on GitHub (Aug 14, 2018): For people with issues on OpenSuse Leap 15 and apparmor, can you try if [this fix](https://github.com/netblue30/firejail/issues/2078#issuecomment-413041131) works for you?

gitea-mirror commented 2026-05-05 07:56:42 -06:00

Author

Owner

Copy link

@chewblacka commented on GitHub (Aug 15, 2018):

Thanks @Vincent43, that worked perfectly for my OpenSuse Leap 15 KDE install! Apparmor now working as it should. Many thanks for the help!

<!-- gh-comment-id:413323061 --> @chewblacka commented on GitHub (Aug 15, 2018): Thanks @Vincent43, that worked perfectly for my OpenSuse Leap 15 KDE install! Apparmor now working as it should. Many thanks for the help!

gitea-mirror commented 2026-05-05 07:56:43 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Aug 16, 2018):

@OMslaw04 Can you report back with which thing actually breaks your setup? Then we can fix this :) Or, if your issue is fixed by what @Vincent43 linked to, can you also report back? That way we know this issue is solved.

<!-- gh-comment-id:413565787 --> @chiraag-nataraj commented on GitHub (Aug 16, 2018): @OMslaw04 Can you report back with which thing actually breaks your setup? Then we can fix this :) Or, if your issue is fixed by what @Vincent43 linked to, can you also report back? That way we know this issue is solved.

gitea-mirror commented 2026-05-05 07:56:44 -06:00

Author

Owner

Copy link

@wofwofwof commented on GitHub (Sep 21, 2018):

Not sure if it is the same issue, but I had the same problem on gentoo with thunderbird and it was fixed with adding unix to the protocol.

<!-- gh-comment-id:423468783 --> @wofwofwof commented on GitHub (Sep 21, 2018): Not sure if it is the same issue, but I had the same problem on gentoo with thunderbird and it was fixed with adding unix to the protocol.

gitea-mirror commented 2026-05-05 07:56:47 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 19, 2019):

Is this still an issue for whoever commented and is still on Github?

<!-- gh-comment-id:493800766 --> @chiraag-nataraj commented on GitHub (May 19, 2019): Is this still an issue for whoever commented and is still on Github?

gitea-mirror commented 2026-05-05 07:56:48 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 29, 2019):

I'm going to close this for inactivity. If someone is still having this issue, please feel free to re-open it.

<!-- gh-comment-id:497097675 --> @chiraag-nataraj commented on GitHub (May 29, 2019): I'm going to close this for inactivity. If someone is still having this issue, please feel free to re-open it.

gitea-mirror commented 2026-05-05 07:56:49 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Sep 29, 2021):

Hi there!

You just need to export your XAuthority properly. A whitelist entry for the authority file afterwards will grant you access within the sandbox (e.g. --whitelist=/home/user/.xauthxxxxXX) [tested with GrSec/Selinux/Apparmor/su sandbox -> firejail]

Cheers!

<!-- gh-comment-id:929918415 --> @ghost commented on GitHub (Sep 29, 2021): Hi there! You just need to export your XAuthority properly. A whitelist entry for the authority file afterwards will grant you access within the sandbox (e.g. --whitelist=/home/user/.xauthxxxxXX) [tested with GrSec/Selinux/Apparmor/su sandbox -> firejail] Cheers!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1364

No description provided.