[GH-ISSUE #1191] OpenGL failure on Fedora due to SElinux #814

New issue

Closed

opened 2026-05-05 06:53:56 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 06:53:56 -06:00

Owner

Originally created by @orbisvicis on GitHub (Apr 3, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1191

I've tried "Sunless Sea" and "Dungeon Crawl Stone Soup". Basically what happens is:

start firejail
start game
nvidia-modprobe is launched, fills syslog with output
see SELinux audit warning in syslog
game freezes with black window

Then I have to terminate the process, and fedora automatically launches gdb to get a backtrace, so you can ignore that bit.

$ ls -lah /usr/bin/nvidia-modprobe 
-rwsr-xr-x. 1 root root 29K Dec  8 21:03 /usr/bin/nvidia-modprobe

Here is a typical firemon session:

17:19:47 exec 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
17:19:48 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
	child 24572 <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
17:19:48 exec 24572 (orbisvicis) /usr/bin/nvidia-modprobe -c=255 
17:19:48 exit 24572 (orbisvicis)
17:19:48 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
	child 24573 <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
17:19:48 exec 24573 (orbisvicis) /usr/bin/nvidia-modprobe -m 
17:19:48 exit 24573 (orbisvicis)
17:19:48 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
	child 24574 <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
17:19:48 exec 24574 (orbisvicis) /usr/bin/nvidia-modprobe -c=0 
17:19:48 exit 24574 (orbisvicis)
17:19:48 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
	child 24575 <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
17:19:48 exec 24575 (orbisvicis) /usr/bin/nvidia-modprobe -c=0 
17:19:48 exit 24575 (orbisvicis)
17:21:14 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl 
	child 24667
17:21:14 exec 24667 (orbisvicis) gdb -batch -ex show version -ex attach 99 -ex bt full 
17:21:14 fork 24667 (orbisvicis) gdb -batch -ex show version -ex attach 99 -ex bt full 
	child 24668 gdb -batch -ex show version -ex attach 99 -ex bt full

Here is the audit line; always the same irrespective of which firejailed OpenGL app failed:

Apr 03 17:19:48 <system> audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023

Here is a related Fedora bug from 2014 relating to NPP and SELinux's own sandbox app:

https://bugzilla.redhat.com/show_bug.cgi?id=1103622

I think they solved it by shipping a specific policy for the sandbox.

Originally created by @orbisvicis on GitHub (Apr 3, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1191 I've tried "Sunless Sea" and "Dungeon Crawl Stone Soup". Basically what happens is: * start firejail * start game * nvidia-modprobe is launched, fills syslog with output * see SELinux audit warning in syslog * game freezes with black window Then I have to terminate the process, and fedora automatically launches `gdb` to get a backtrace, so you can ignore that bit. ``` $ ls -lah /usr/bin/nvidia-modprobe -rwsr-xr-x. 1 root root 29K Dec 8 21:03 /usr/bin/nvidia-modprobe ``` Here is a typical `firemon` session: ``` 17:19:47 exec 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl 17:19:48 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl child 24572 <prefix>/Dungeon.Crawl.Stone.Soup/crawl 17:19:48 exec 24572 (orbisvicis) /usr/bin/nvidia-modprobe -c=255 17:19:48 exit 24572 (orbisvicis) 17:19:48 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl child 24573 <prefix>/Dungeon.Crawl.Stone.Soup/crawl 17:19:48 exec 24573 (orbisvicis) /usr/bin/nvidia-modprobe -m 17:19:48 exit 24573 (orbisvicis) 17:19:48 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl child 24574 <prefix>/Dungeon.Crawl.Stone.Soup/crawl 17:19:48 exec 24574 (orbisvicis) /usr/bin/nvidia-modprobe -c=0 17:19:48 exit 24574 (orbisvicis) 17:19:48 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl child 24575 <prefix>/Dungeon.Crawl.Stone.Soup/crawl 17:19:48 exec 24575 (orbisvicis) /usr/bin/nvidia-modprobe -c=0 17:19:48 exit 24575 (orbisvicis) 17:21:14 fork 24570 (orbisvicis) <prefix>/Dungeon.Crawl.Stone.Soup/crawl child 24667 17:21:14 exec 24667 (orbisvicis) gdb -batch -ex show version -ex attach 99 -ex bt full 17:21:14 fork 24667 (orbisvicis) gdb -batch -ex show version -ex attach 99 -ex bt full child 24668 gdb -batch -ex show version -ex attach 99 -ex bt full ``` Here is the audit line; always the same irrespective of which firejailed OpenGL app failed: ``` Apr 03 17:19:48 <system> audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 ``` Here is a related Fedora bug from 2014 relating to NPP and SELinux's own sandbox app: https://bugzilla.redhat.com/show_bug.cgi?id=1103622 I think they solved it by shipping a specific policy for the sandbox.

gitea-mirror

2026-05-05 06:53:56 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:54:02 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 4, 2017):

What version of firejail are you using? Does it work if you start the sandbox with "--noprofile"?

$ firejail --noprofile application

@netblue30 commented on GitHub (Apr 4, 2017): What version of firejail are you using? Does it work if you start the sandbox with "--noprofile"? ````` $ firejail --noprofile application `````

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#814

No description provided.

Rows
Columns