Description of problems While testing firejail update Bug 30528, I notice that for both our current update and the update testing version: 1) the command firetools from package firetools only produce a popup error message "Can not run Firejail sandbox, you may not have the correct permissions to access this program". No matter if launched by Plasma menu, or in terminal. 2) firetools-ui works, but enabling [x] Trace system and network access Then it exits, with output in terminal from where i started it: "Cannot open trace log file: No such device or address" I notice mga8 have firejail 0.9.64 but only firetools 0.9.62. We should have updated firetools too - last version is 0.9.64, and it have added suport for firejail 0.9.64, listed at https://firejailtools.wordpress.com/release-notes/ : Maybe an update will fix the problems? Anyway that seems like a good first step. And now we have firejail 0.9.70 in updates testing - we should keep an eye on if a new firetool version is coming upstream soon. Assigning to Jani, as he updated firejail
Please test with firetools-0.9.64-1.mga8 from mga8 core/updates_testing. SRPMS/RPMS: firetools-0.9.64-1.mga8
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
Firetools fails because firejail can't read UID_MIN and/or GID_MIN from non world readable /etc/login.defs and therefore prints "Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default" to stderr [1][2]. Firetool interpret that as an error and exits [3]. We install /etc/login.defs from shadow-utils for unknown reason with: %attr(0640,root,shadow) %config(noreplace) %{_sysconfdir}/login.defs [1] https://github.com/netblue30/firejail/blob/0.9.70/src/lib/firejail_user.c#L44 [2] https://github.com/netblue30/firejail/blob/0.9.70/src/lib/firejail_user.c#L89 [3] https://github.com/netblue30/firetools/blob/0.9.64/src/firetools/mainwindow.cpp#L49
I guess I'll have to patch firejail in mga8 to output only a warning if /etc/login.defs is non-readable. In cauldron this is fixed by changing /etc/login.defs to world readable.
(In reply to Jani Välimaa from comment #3) > I guess I'll have to patch firejail in mga8 to output only a warning if > /etc/login.defs is non-readable. > Pushed updated firejail for bug 30528 to also fix new firetools. Please test firetools-0.9.64-1.1.mga8 from core/updates_testing with firejail-0.9.70-1.1.mga8. New firetools release adds stricter reqs for firejail. RPMS/SRPMS: firetools-0.9.64-1.1.mga8
Progressing :) OK: In drakrpm selected firetools-0.9.64-1.1.mga8, and pulled in firejail-0.9.70-1.1.mga8 too. --- Nitpick: I now spotted a typo in description: firetools - Graphical user interface for Firajail "Firajail" no need to push update for that, but maybe fix source. --- OK: firetools now launch correctly, and from its launcher i can double click applications to start. I can also right click and get a menu. --- Fail: custom security profile, even using all default values Launch firetools-ui, select Network, Firefox. If you keep "(o) Use a default security profile" and click Continue, Done - Firefox get launched OK. But if you instead select "(o) Build a custom security profile" And continue with all default, it fail to launch. Last lines in terminal: Warning: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default Reading profile /tmp/firejail-ui-IiQ7KJ Reading profile /etc/firejail/disable-common.inc Error: cannot access profile file: /etc/firejail/disable-passwdmgr.inc Sandbox started, exiting firejail-ui... --- Fail: Logging. Still as Comment 0 point 2 --- By the way: Maybe also update fdns - Firejail DNS-over-HTTPS Proxy Server so we have the full "suite" updated. I have found nothing saying update is needed and have not tested it at all, but our version is two and a half year old.
disable-passwdmgr.inc was removed in firejail 0.9.68 [1]. I'll push another firetools release without disable-passwdmgr.inc includes. [1] https://github.com/netblue30/firejail/commit/ca8603c09d8ec0ac05e5853485707fe9f96499f2
(In reply to Jani Välimaa from comment #6) > disable-passwdmgr.inc was removed in firejail 0.9.68 [1]. I'll push another > firetools release without disable-passwdmgr.inc includes. > > [1] > https://github.com/netblue30/firejail/commit/ > ca8603c09d8ec0ac05e5853485707fe9f96499f2 Please test firetools-0.9.64-1.2.mga8 from mga8 core/udpates_testing. New release fixes typo in summary and doesn't try to include nonexistent disable-passwdmgr.inc. SRPMS/RPMS: firetools-0.9.64-1.2.mga8
Custom profile seem to be fixed (from my Comment 5 (BTW my typo there: wrote firetools-ui, meant firejail-ui) Logging still fail like Comment 0 point 2.
(In reply to Morgan Leijström from comment #8) > Custom profile seem to be fixed (from my Comment 5 > (BTW my typo there: wrote firetools-ui, meant firejail-ui) > > Logging still fail like Comment 0 point 2. Does it also happen with one from Core Release?
$ sudo urpmi --downgrade --search-media 'Core Release' firetools $ firejail-ui --version Firejail-ui version 0.9.62 $ firejail --version firejail version 0.9.70 -> Yes same problem. But manually launching with tracing seem to work $ firejail --trace firefox (Firefox runs, but I have not investigated what tracing really achieve...)
Selecting firetools package in QArepo, then trying to install it, gives me "firetools-0.9.64-1.2.mga8.x86_64 (due to unsatisfied firejail[>= 0.9.70-1.1])"
CC: (none) => herman.viaene
firejail-0.9.70-1.1.mga8.x86_64.rpm is in core/updates_testing/
I had similar problems on another update so I guees there is some mirror synching at play. Will try later.
Tested version indicated in Comment 7: $ firejail --version Warning: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default firejail version 0.9.70
? comment 7 states firetools version. Anyway you now run latest firejail, and that Warning seem to be harmless.
MGA8-64 plasma on Acer Aspire 5253 No installation issues Launched firetools, picked Okular from the listed applications , run it, and opened a pdf file in it. Works OK.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2022-0130.html
Status: NEW => RESOLVEDResolution: (none) => FIXED