[GH-ISSUE #2608] Cannot start LibreOffice when already started

gitea-mirror commented

2026-05-05 08:18:04 -06:00

Owner

Originally created by @KOLANICH on GitHub (Mar 19, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2608

KOLANICH@KOLANICH:~$ firejail /usr/bin/libreoffice
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Switching to pid 4393, the first child process inside the sandbox
Child process initialized in 36.42 ms
ERROR: ld.so: object '/run/firejail/lib/libtracelog.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Originally created by @KOLANICH on GitHub (Mar 19, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2608 ``` KOLANICH@KOLANICH:~$ firejail /usr/bin/libreoffice Reading profile /etc/firejail/libreoffice.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-var-common.inc Switching to pid 4393, the first child process inside the sandbox Child process initialized in 36.42 ms ERROR: ld.so: object '/run/firejail/lib/libtracelog.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. Warning: failed to launch javaldx - java may not function correctly ERROR 4 forking process ```

gitea-mirror closed this issue

2026-05-05 08:18:05 -06:00

gitea-mirror commented

2026-05-05 08:18:06 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Mar 20, 2019):

Hi @KOLANICH
What version of firejail and what distro are you running?
Thanks!
Fred

@Fred-Barclay commented on GitHub (Mar 20, 2019): Hi @KOLANICH What version of firejail and what distro are you running? Thanks! Fred

gitea-mirror commented

2026-05-05 08:18:08 -06:00

Author

Owner

@KOLANICH commented on GitHub (Mar 20, 2019):

What version of firejail

cc4e42705c

what distro are you running?

kubuntu cosmic, fully updated

@KOLANICH commented on GitHub (Mar 20, 2019): >What version of firejail cc4e42705c39361f56b82c1a2e1e2f0ad6ae8bed >what distro are you running? kubuntu cosmic, fully updated

gitea-mirror commented

2026-05-05 08:18:09 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 21, 2019):

Does it work when you do firejail --ignore=apparmor /usr/bin/libreoffice ?

@smitsohu commented on GitHub (Mar 21, 2019): Does it work when you do `firejail --ignore=apparmor /usr/bin/libreoffice` ?

gitea-mirror commented

2026-05-05 08:18:10 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 24, 2019):

Or you are running a system that supports AppArmor, and a LibreOffice policy is loaded (which is the default in Ubuntu), but you are building Firejail without AppArmor support.

In this case append --enable-apparmor to your configure options and build and install again. This should get the default LibreOffice profile working.

@smitsohu commented on GitHub (Mar 24, 2019): Or you are running a system that supports AppArmor, and a LibreOffice policy is loaded (which is the default in Ubuntu), but you are building Firejail without AppArmor support. In this case append `--enable-apparmor` to your `configure` options and build and install again. This should get the default LibreOffice profile working.

gitea-mirror commented

2026-05-05 08:18:10 -06:00

Author

Owner

@KOLANICH commented on GitHub (Mar 25, 2019):

Does it work when you do firejail --ignore=apparmor /usr/bin/libreoffice ?

It doesn't even if no LO has been started.

In this case append --enable-apparmor to your configure options and build and install again. This should get the default LibreOffice profile working.

FJ was built with AA support

@KOLANICH commented on GitHub (Mar 25, 2019): >Does it work when you do firejail --ignore=apparmor /usr/bin/libreoffice ? It doesn't even if no LO has been started. >In this case append --enable-apparmor to your configure options and build and install again. This should get the default LibreOffice profile working. FJ was built with AA support

gitea-mirror commented

2026-05-05 08:18:12 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 31, 2019):

@KOLANICH Which version of LO are you using using? Can you try the following profile and see if it works?
~/.config/firejail/libreoffice.profile:

ignore private-tmp
ignore memory-deny-write-execute

include ${HOME}/.config/firejail/common.inc

mkdir ${HOME}/.config/libreoffice

whitelist ${DOWNLOADS}
whitelist ${DOCUMENTS}
whitelist ${HOME}/.config/libreoffice
whitelist ${HOME}/.config/gtk-3.0
whitelist ${HOME}/.config/gtk-2.0
whitelist ${HOME}/.local/share/themes

private-bin sh,dash,libreoffice,dirname,grep,uname,ls,sed,pwd,basename,dbus-launch,dbus-send,fcitx-dbus-watcher,fcitx-remote
private-etc libreoffice,fonts,passwd,alternatives,X11

# whitelist /usr/share/libreoffice
# whitelist /usr/share/icons
# whitelist /usr/share/themes
# whitelist /usr/share/fonts

whitelist /tmp/.X11-unix
# Enable document recovery
whitelist /tmp/user/1000

~/.config/firejail/common.inc:

blacklist /usr/local/bin
blacklist /usr/local/sbin

blacklist /boot

private-tmp
read-only /tmp/.X11-unix
private-dev
nodvd
nosound
notv
nou2f
novideo
no3d
disable-mnt
private-opt emp
private-srv emp

shell none
seccomp
seccomp.block-secondary
noroot
caps.drop all
apparmor
nonewprivs
ipc-namespace
machine-id
nodbus
nogroups
net none
netfilter
memory-deny-write-execute

noexec ${HOME}
noexec /tmp
noexec ${RUNUSER}

@chiraag-nataraj commented on GitHub (May 31, 2019): @KOLANICH Which version of LO are you using using? Can you try the following profile and see if it works? `~/.config/firejail/libreoffice.profile`: ``` ignore private-tmp ignore memory-deny-write-execute include ${HOME}/.config/firejail/common.inc mkdir ${HOME}/.config/libreoffice whitelist ${DOWNLOADS} whitelist ${DOCUMENTS} whitelist ${HOME}/.config/libreoffice whitelist ${HOME}/.config/gtk-3.0 whitelist ${HOME}/.config/gtk-2.0 whitelist ${HOME}/.local/share/themes private-bin sh,dash,libreoffice,dirname,grep,uname,ls,sed,pwd,basename,dbus-launch,dbus-send,fcitx-dbus-watcher,fcitx-remote private-etc libreoffice,fonts,passwd,alternatives,X11 # whitelist /usr/share/libreoffice # whitelist /usr/share/icons # whitelist /usr/share/themes # whitelist /usr/share/fonts whitelist /tmp/.X11-unix # Enable document recovery whitelist /tmp/user/1000 ``` `~/.config/firejail/common.inc`: ``` blacklist /usr/local/bin blacklist /usr/local/sbin blacklist /boot private-tmp read-only /tmp/.X11-unix private-dev nodvd nosound notv nou2f novideo no3d disable-mnt private-opt emp private-srv emp shell none seccomp seccomp.block-secondary noroot caps.drop all apparmor nonewprivs ipc-namespace machine-id nodbus nogroups net none netfilter memory-deny-write-execute noexec ${HOME} noexec /tmp noexec ${RUNUSER} ```

gitea-mirror commented

2026-05-05 08:18:12 -06:00

Author

Owner

@KOLANICH commented on GitHub (Jun 3, 2019):

With the latest firejail it doesn't even start with the preshipped profiles. The version of LO is the latest one (6.2.3) from Ubuntu repos (universe). Your profiles don't help too. Unfortunately currently I have no time to experiment with this.

@KOLANICH commented on GitHub (Jun 3, 2019): With the latest firejail it doesn't even start with the preshipped profiles. The version of LO is the latest one (`6.2.3`) from Ubuntu repos (`universe`). Your profiles don't help too. Unfortunately currently I have no time to experiment with this.

gitea-mirror commented

2026-05-05 08:18:14 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 4, 2019):

@KOLANICH, if you don't have time to help debug this, I'm not sure what we can do, since the profile seems to work for other people.

The general procedure to debug it would be to:

Look at the logs to see if it's a seccomp or apparmor violation
Disable directives until it starts and then figure out which directive or combination of directives break the profile

Once we have both of those steps, we can figure out what's going on. As of right now, it's very hard for us to figure out what's going on given the lack of details (no debugging output, no experimenting with directives, etc).

If you don't have time to debug this right now (and if it's not affecting other people), maybe it's best to close it for right now (I'm not suggesting it's not a problem, just that it clutters up the issue tracker if other people are not experiencing the same issue). We can re-open it when you have more time to help debug this or if other people have the issue.

I'll leave this open for a little bit longer and then close it if there are no objections.

@chiraag-nataraj commented on GitHub (Jun 4, 2019): @KOLANICH, if you don't have time to help debug this, I'm not sure what we can do, since the profile seems to work for other people. The general procedure to debug it would be to: * Look at the logs to see if it's a seccomp or apparmor violation * Disable directives until it starts and then figure out which directive or combination of directives break the profile Once we have both of those steps, we can figure out what's going on. As of right now, it's very hard for us to figure out what's going on given the lack of details (no debugging output, no experimenting with directives, etc). If you don't have time to debug this right now (and if it's not affecting other people), maybe it's best to close it **for right now** (I'm _not_ suggesting it's not a problem, just that it clutters up the issue tracker if other people are not experiencing the same issue). We can re-open it when you have more time to help debug this or if other people have the issue. I'll leave this open for a little bit longer and then close it if there are no objections.

gitea-mirror commented

2026-05-05 08:18:15 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 4, 2019):

I'm going to close this for now. To anyone reading this who has this issue and can help debug, please re-open!

@chiraag-nataraj commented on GitHub (Jun 4, 2019): I'm going to close this for now. To anyone reading this who has this issue and can help debug, **please** re-open!

Rows
Columns

[GH-ISSUE #2608] Cannot start LibreOffice when already started #1651