[GH-ISSUE #3823] Unable to start hexchat with firejail

gitea-mirror commented

2026-05-05 09:05:15 -06:00

Owner

Originally created by @ibahnasy on GitHub (Dec 15, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3823

Distro: Arch Linux
Firejail: 0.9.64
Hexchat: 2.14.3

I can run hexchat with firejail using "--noprofile" only now, however it was working fine before.
Here is the log

$ firejail hexchat
Reading profile /etc/firejail/hexchat.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/allow-perl.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 31270, child pid 31271
65 programs installed in 58.35 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 187.76 ms

Originally created by @ibahnasy on GitHub (Dec 15, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3823 Distro: Arch Linux Firejail: 0.9.64 Hexchat: 2.14.3 I can run hexchat with firejail using "--noprofile" only now, however it was working fine before. Here is the log > $ firejail hexchat Reading profile /etc/firejail/hexchat.profile Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/allow-perl.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 31270, child pid 31271 65 programs installed in 58.35 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/gvfs Warning: cleaning all supplementary groups Blacklist violations are logged to syslog Child process initialized in 187.76 ms

gitea-mirror closed this issue

2026-05-05 09:05:16 -06:00

gitea-mirror commented

2026-05-05 09:05:18 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 15, 2020):

Work for me: Fedora 32, hexchat 2.14.3.

Are there any error in the terminal or in the syslog?

@rusty-snake commented on GitHub (Dec 15, 2020): Work for me: Fedora 32, hexchat 2.14.3. Are there any error in the terminal or in the syslog?

gitea-mirror commented

2026-05-05 09:05:19 -06:00

Author

Owner

@ibahnasy commented on GitHub (Dec 15, 2020):

I'm not seeing any errors but when I try to launch it, the CPU fan spins so high and no more output logged in the terminal until I kill it.

@ibahnasy commented on GitHub (Dec 15, 2020): I'm not seeing any errors but when I try to launch it, the CPU fan spins so high and no more output logged in the terminal until I kill it.

gitea-mirror commented

2026-05-05 09:05:20 -06:00

Author

Owner

@reinerh commented on GitHub (Dec 15, 2020):

Works here as well (HexChat 2.14.3, Firejail 0.9.64, Debian).

@reinerh commented on GitHub (Dec 15, 2020): Works here as well (HexChat 2.14.3, Firejail 0.9.64, Debian).

gitea-mirror commented

2026-05-05 09:05:21 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 16, 2020):

Anyway, if it works with --noprofile, one (or more) command in the profile (or it's includes) causes this. Can you comment the profile and then uncomment it line for line.

@rusty-snake commented on GitHub (Dec 16, 2020): Anyway, if it works with `--noprofile`, one (or more) command in the profile (or it's includes) causes this. Can you comment the profile and then uncomment it line for line.

gitea-mirror commented

2026-05-05 09:05:22 -06:00

Author

Owner

@ibahnasy commented on GitHub (Dec 17, 2020):

Commenting "include disable-shell.inc" AND "private-bin hexchat,python" in /etc/firejail/hexchat.profile make it works!

@ibahnasy commented on GitHub (Dec 17, 2020): Commenting "include disable-shell.inc" AND "private-bin hexchat,python" in /etc/firejail/hexchat.profile make it works!

gitea-mirror commented

2026-05-05 09:05:22 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 17, 2020):

Depending on what shell is used, a hexchat.local like this should works.

noblacklist ${PATH}/sh
private-bin sh

Is /usr/bin/hexchat a shellscript?

@rusty-snake commented on GitHub (Dec 17, 2020): Depending on what shell is used, a hexchat.local like this should works. ``` noblacklist ${PATH}/sh private-bin sh ``` Is /usr/bin/hexchat a shellscript?

gitea-mirror commented

2026-05-05 09:05:23 -06:00

Author

Owner

@ibahnasy commented on GitHub (Dec 17, 2020):

/usr/bin/hexchat: ELF 64-bit LSB pie executable

@ibahnasy commented on GitHub (Dec 17, 2020): /usr/bin/hexchat: ELF 64-bit LSB pie executable

gitea-mirror commented

2026-05-05 09:05:23 -06:00

Author

Owner

@reinerh commented on GitHub (Dec 17, 2020):

Is this also the one that is executed? Does which hexchat show the same path?

@reinerh commented on GitHub (Dec 17, 2020): Is this also the one that is executed? Does `which hexchat` show the same path?

gitea-mirror commented

2026-05-05 09:05:23 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 17, 2020):

Better: which -a hexchat or where hexchat, as which hexchat will only show /usr/local/bin/hexchat (firecfg).

@rusty-snake commented on GitHub (Dec 17, 2020): Better: `which -a hexchat` or `where hexchat`, as `which hexchat` will only show `/usr/local/bin/hexchat` (firecfg).

gitea-mirror commented

2026-05-05 09:05:24 -06:00

Author

Owner

@ibahnasy commented on GitHub (Dec 17, 2020):

$ which -a hexchat
/usr/bin/hexchat

@ibahnasy commented on GitHub (Dec 17, 2020): $ which -a hexchat /usr/bin/hexchat

gitea-mirror commented

2026-05-05 09:05:24 -06:00

Author

Owner

@ibahnasy commented on GitHub (Dec 18, 2020):

I want to add that there is a feature in hexhcat that is "Open link in browser" which didn't work before when using the hexchat firejaij's profile but after disabling the above to options, this feature works fine.

@ibahnasy commented on GitHub (Dec 18, 2020): I want to add that there is a feature in hexhcat that is "Open link in browser" which didn't work before when using the hexchat firejaij's profile but after disabling the above to options, this feature works fine.

gitea-mirror commented

2026-05-05 09:05:25 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 4, 2021):

Because the sandbox can now start /usr/bin/firefox. Before with the private hexchat,python*, there was no /usr/bin/firefox in the sandbox.

Does my suggestion from above (noblacklist + private-bin) work? note: you maybe need to add other shells like bash.

@rusty-snake commented on GitHub (Jan 4, 2021): Because the sandbox can now start /usr/bin/firefox. Before with the `private hexchat,python*`, there was no /usr/bin/firefox in the sandbox. Does my suggestion from above (noblacklist + private-bin) work? note: you maybe need to add other shells like bash.

gitea-mirror commented

2026-05-05 09:05:25 -06:00

Author

Owner

@ibahnasy commented on GitHub (Jan 4, 2021):

With your suggestion hexchat doesn't start at all giving this error: "Error: no suitable hexchat executable found"

@ibahnasy commented on GitHub (Jan 4, 2021): With your suggestion hexchat doesn't start at all giving this error: "Error: no suitable hexchat executable found"

gitea-mirror commented

2026-05-05 09:05:26 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 4, 2021):

You need to undo your comments in hexchat.profile.

@rusty-snake commented on GitHub (Jan 4, 2021): You need to undo your comments in hexchat.profile.

gitea-mirror commented

2026-05-05 09:05:26 -06:00

Author

Owner

@ibahnasy commented on GitHub (Jan 4, 2021):

Yes I did that but still throw that error.

@ibahnasy commented on GitHub (Jan 4, 2021): Yes I did that but still throw that error.

gitea-mirror commented

2026-05-05 09:05:27 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 6, 2021):

Any progress here?

@rusty-snake commented on GitHub (Apr 6, 2021): Any progress here?

gitea-mirror commented

2026-05-05 09:05:27 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 12, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

@rusty-snake commented on GitHub (May 12, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

gitea-mirror commented

2026-05-05 09:05:27 -06:00

Author

Owner

@ibahnasy commented on GitHub (May 16, 2021):

I'm still having the same issue btw.

@ibahnasy commented on GitHub (May 16, 2021): I'm still having the same issue btw.

gitea-mirror commented

2026-05-05 09:05:28 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 16, 2021):

Can you try

include allow-bin-sh.inc
private-bin sh
# or maybe 'private-bin bash,sh'?

if this does not help, what is the private-bin line generated by firejail --build hexchat?

@rusty-snake commented on GitHub (May 16, 2021): Can you try ``` include allow-bin-sh.inc private-bin sh # or maybe 'private-bin bash,sh'? ``` if this does not help, what is the private-bin line generated by `firejail --build hexchat`?

gitea-mirror commented

2026-05-05 09:05:28 -06:00

Author

Owner

@ibahnasy commented on GitHub (May 16, 2021):

Your suggestion made it work.
BTW, firejail --build hexcha produce empty private-bin line.

@ibahnasy commented on GitHub (May 16, 2021): Your suggestion made it work. BTW, `firejail --build hexcha` produce empty private-bin line.

gitea-mirror commented

2026-05-05 09:05:28 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 16, 2021):

This is the same as https://github.com/netblue30/firejail/issues/3823#issuecomment-747438910, but there I forgot that we blacklist sh and bash. If we now only noblacklist sh but bash is still blacklisted and sh is a symlink to bash, it can not work.

Since hexchat needs /bin/sh under Arch (for any reasons), we should allow it. Allowing sh does weaken the profile lesser then dropping private-bin.

@rusty-snake commented on GitHub (May 16, 2021): This is the same as https://github.com/netblue30/firejail/issues/3823#issuecomment-747438910, but there I forgot that we `blacklist` `sh` and `bash`. If we now only `noblacklist` `sh` but `bash` is still `blacklist`ed and `sh` is a symlink to `bash`, it can not work. Since hexchat needs `/bin/sh` under Arch (for any reasons), we should allow it. Allowing `sh` does weaken the profile lesser then dropping `private-bin`.

gitea-mirror referenced this issue

2026-05-05 10:17:29 -06:00

[PR #2422] [MERGED] Create nano.profile #4297

Rows
Columns

[GH-ISSUE #3823] Unable to start hexchat with firejail #2411