github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3654] Firejail crashing with SELinux support enabled #2301

New issue

Closed

opened 2026-05-05 08:59:28 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:59:28 -06:00

Owner

Originally created by @reinerh on GitHub (Oct 6, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3654

I just noticed that firejail is crashing on start when firejail has SELinux labeling support enabled (and SELinux support is disabled on the system):

$ gdb src/firejail/firejail core
...
Reading symbols from src/firejail/firejail...
[New LWP 1]
[New LWP 431819]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./src/firejail/firejail'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  selabel_lookup_common (rec=0x0, translating=0, key=0x5578fbf95729 "/root", type=16832) at label.c:167
167	label.c: No such file or directory.
[Current thread is 1 (LWP 1)]
(gdb) bt
#0  selabel_lookup_common (rec=0x0, translating=0, key=0x5578fbf95729 "/root", type=16832) at label.c:167
#1  0x00007f7255a15aeb in selabel_lookup_raw (rec=<optimized out>, con=con@entry=0x5578fc0b69e8 <child_stack+1046696>, key=key@entry=0x5578fbf95729 "/root", type=<optimized out>) at label.c:256
#2  0x00005578fbf85e4d in selinux_relabel_path (path=path@entry=0x5578fbf95729 "/root", inside_path=inside_path@entry=0x5578fbf95729 "/root") at selinux.c:59
#3  0x00005578fbf66dc2 in fs_private () at fs_home.c:360
#4  0x00005578fbf83c82 in sandbox (sandbox_arg=<optimized out>) at sandbox.c:865
#5  0x00007f725593eeaf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Originally created by @reinerh on GitHub (Oct 6, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3654 I just noticed that firejail is crashing on start when firejail has SELinux labeling support enabled (and SELinux support is disabled on the system): ``` $ gdb src/firejail/firejail core ... Reading symbols from src/firejail/firejail... [New LWP 1] [New LWP 431819] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `./src/firejail/firejail'. Program terminated with signal SIGSEGV, Segmentation fault. #0 selabel_lookup_common (rec=0x0, translating=0, key=0x5578fbf95729 "/root", type=16832) at label.c:167 167 label.c: No such file or directory. [Current thread is 1 (LWP 1)] (gdb) bt #0 selabel_lookup_common (rec=0x0, translating=0, key=0x5578fbf95729 "/root", type=16832) at label.c:167 #1 0x00007f7255a15aeb in selabel_lookup_raw (rec=<optimized out>, con=con@entry=0x5578fc0b69e8 <child_stack+1046696>, key=key@entry=0x5578fbf95729 "/root", type=<optimized out>) at label.c:256 #2 0x00005578fbf85e4d in selinux_relabel_path (path=path@entry=0x5578fbf95729 "/root", inside_path=inside_path@entry=0x5578fbf95729 "/root") at selinux.c:59 #3 0x00005578fbf66dc2 in fs_private () at fs_home.c:360 #4 0x00005578fbf83c82 in sandbox (sandbox_arg=<optimized out>) at sandbox.c:865 #5 0x00007f725593eeaf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 ```

gitea-mirror

2026-05-05 08:59:28 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 08:59:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 6, 2020):

WFM Fedora 32 SELinux enabled

@rusty-snake commented on GitHub (Oct 6, 2020): WFM Fedora 32 SELinux enabled

gitea-mirror commented

2026-05-05 08:59:31 -06:00

Author

Owner

@reinerh commented on GitHub (Oct 6, 2020):

I think in Fedora SELinux is active by default?
In Debian it's disabled (as AppArmor is enabled by default).

@reinerh commented on GitHub (Oct 6, 2020): I think in Fedora SELinux is active by default? In Debian it's disabled (as AppArmor is enabled by default).

gitea-mirror commented

2026-05-05 08:59:32 -06:00

Author

Owner

@topimiettinen commented on GitHub (Oct 6, 2020):

Everything seems to work here with Debian bullseye/sid and SELinux in enforcing mode, Firejail just updated and installed from mkdeb. Do you see something weird if you run ausearch -ts boot | audit2allow?

@topimiettinen commented on GitHub (Oct 6, 2020): Everything seems to work here with Debian bullseye/sid and SELinux in enforcing mode, Firejail just updated and installed from mkdeb. Do you see something weird if you run `ausearch -ts boot | audit2allow`?

gitea-mirror commented

2026-05-05 08:59:33 -06:00

Author

Owner

@reinerh commented on GitHub (Oct 6, 2020):

@topimiettinen I don't have SELinux enabled on my system. With enabled I mean that firejail itself has SELinux support (which is a new feature in 0.9.64).
I don't even have ausearch/audit2allow installed. :-)

I think it only crashes on systems where SELinux is disabled (but support in firejail is enabled).

@reinerh commented on GitHub (Oct 6, 2020): @topimiettinen I don't have SELinux enabled on my system. With enabled I mean that firejail itself has SELinux support (which is a new feature in 0.9.64). I don't even have ausearch/audit2allow installed. :-) I think it only crashes on systems where SELinux is disabled (but support in firejail is enabled).

gitea-mirror commented

2026-05-05 08:59:35 -06:00

Author

Owner

@topimiettinen commented on GitHub (Oct 6, 2020):

I tested with SELinux disabled but still Firejail started fine. But if your commit fixes the issue on your system, perhaps the problem needed also that there is no SELinux policy, and that would make getting a label fail.

@topimiettinen commented on GitHub (Oct 6, 2020): I tested with SELinux disabled but still Firejail started fine. But if your commit fixes the issue on your system, perhaps the problem needed also that there is no SELinux policy, and that would make getting a label fail.

gitea-mirror referenced this issue

2026-05-05 09:02:59 -06:00

[GH-ISSUE #3749] Where to print debug messages (stdout or stderr)? #2365

gitea-mirror referenced this issue

2026-05-05 10:28:04 -06:00

[PR #3752] [MERGED] reimplement --get using --cat #4870