SElinux alert and crash on Fedora

PertinentAvocado

Hi - this morning upon logging into my Fedora box (running Asahi fedora remix on an m2 Macbook, so it's a bit weird) Vivaldi crashes shortly after launch with an SELinux alert.

This behaviour occurs regardless of installation from repositories or FlatPak, and regardless of deleting all settings. It is slightly different with FlatPak in that I get an "oops, Vivaldi crashed" alert along with the SELinux one. Reboots don't fix it.

The text from SELinux is:

SELinux is preventing systemd-coredum from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-coredum should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-coredum' --raw | audit2allow -M my-systemdcoredum
# semodule -X 300 -i my-systemdcoredum.pp

Additional Information:
Source Context                system_u:system_r:systemd_coredump_t:s0
Target Context                system_u:system_r:systemd_coredump_t:s0
Target Objects                Unknown [ capability ]
Source                        systemd-coredum
Source Path                   systemd-coredum
Port                          <Unknown>
Host                          AsahiSuperDry
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.28-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.28-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     AsahiSuperDry
Platform                      Linux AsahiSuperDry
                              6.12.10-400.asahi.fc41.aarch64+16k #1 SMP
                              PREEMPT_DYNAMIC Sat Jan 18 23:58:31 UTC 2025
                              aarch64
Alert Count                   2
First Seen                    2025-01-26 11:04:25 AEDT
Last Seen                     2025-01-26 11:11:26 AEDT
Local ID                      9f5e8da7-e931-4185-a818-01db8bb07ee2

Raw Audit Messages
type=AVC msg=audit(1737850286.374:623): avc:  denied  { sys_admin } for  pid=9772 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0


Hash: systemd-coredum,systemd_coredump_t,systemd_coredump_t,capability,sys_admin

It's a new error that seems to have come out of nowhere — it happened before I updated Fedora this morning. I've had a hunt around the forums and haven't managed to find anything directly on point.

PertinentAvocado

I see there are some more reports based on Asahi in this post (which is based on a seemingly different error and tagged Raspberry Pi, so I didn't think to read all the way to the end!)

crash-after-browser-start

fredallas

Hello @PertinentAvocado

The error messages says: "SELinux is preventing systemd-coredum from using the sys_admin capability. You can generate a local policy module to allow this access. Do allow this access for now by executing:

• list item ausearch -c 'systemd-coredum' --raw | audit2allow -M my-systemdcoredum
• list itemsemodule -X 300 -i my-systemdcoredum.pp"

Have you tried running these two commands?

Regards,
Fred.

PertinentAvocado

Hi @fredallas thanks for replying.

I did try that, although your reply prompted me to try again, and I don't think I did it right the first time.

Having followed those instructions, the FlatPak version crashes with a notification of the crash but no SELinux alert, and the dnf-installed stable version just silently quits. A clean install in each case.

I tried to generate a bug report after the FlatPak crash, but it the backtrace was of low quality and wouldn't let me!

fredallas

Hello @PertinentAvocado
Have you tried snapd? https://snapcraft.io/vivaldi

You may also try downloading the DEB file and installing it using dpkg -i vivaldi_file.deb https://vivaldi.com/download/

Let me know how it goes.
Regards,
Fred.

PertinentAvocado

Hi @fredallas, thanks again.

No more joy with the snap version, although with an added bonus that upon removal snap-update-ns triggers an SELinux alert.

At time of writing installing the .deb via dpkg is giving me an error because dpkg isn't installed (dpkg is installed, which I know because it's dpkg that is giving me that error...). I'll keep struggling with that. I may be missing something obvious, but it's been a long day.

Update:
Managed to install the .rpm, which was interesting only in that I launched it from the terminal and got the following:

Fontconfig error: Cannot load default config file: No such file: (null)
[11592:11592:0126/225908.128193:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 1 times!
[11592:11592:0126/225908.131761:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 2 times!
[11592:11592:0126/225910.014679:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 3 times!
[11546:11546:0126/225913.724183:ERROR:vivaldi_ui_web_contents_delegate.cc(53)] UI Process abnormally terminates with status 3 after running for 7.65516 seconds!
[11546:11546:0126/225913.746750:ERROR:vivaldi_ui_web_contents_delegate.cc(84)] Quiting Vivaldi

fredallas

Hello @PertinentAvocado
You may try momentarily setting SELinux to "Permissive" mode. You may need to access /etc/selinux/config and set SELINUX=permissive option, and then reboot the system. Once the system has been rebooted you may run the getenforce command in order to make sure SELinux is running in "Permissive" mode.

Do not forget to set SELINUX=enforcing in /etc/selinux/config after testing in order to enable SELinux again.

If issue does not happen while setting SELinux to "Permissive" mode the you may need to configure SELinux further so Vivaldi can run. These steps are only to check if SELinux is or not blocking Vivaldi from running.

Regards,
Fred.

edwardp

@PertinentAvocado Hi. Welcome to the Vivaldi Community.

Some months back, I submitted a bug report (VB-108234) where an SELinux alert was displayed once I launched Vivaldi for the first time after installation on Fedora (both Rawhide (development branch) and then-Fedora 40). It was also reported upstream to both Fedora and the Chromium project.

If you select to ignore the alert when it appears, the alert will not appear again.

Please note Flatpaks and Snaps run sandboxed on Linux, they do not see the rest of the installed system. This could be a reason why SELinux is not allowing system-coredum (system-coredump?) to run.

For a Fedora-based system, it's best to install Vivaldi from the provided RPM package on our Download page.

Here are some helpful links for new users:

Vivaldi Help
Vivaldi Features
Vivaldi How To
Vivaldi Tutorials
Vivaldi Blogs
Vivaldi Social
Vivaldi Snapshot vs Stable
Vivaldi Themes
Vivaldi's Troubleshooting Guides
Vivaldi's Mail Client
Vivaldi's Business Model

Report a Bug

51dusty

@edwardp I tried the rpm version but got the same results. I've also tried running with disabled extensions, no-sandbox, safe-mode. some will allow the program to run for longer amounts of time, but they all fail within 30seconds or so.

PertinentAvocado

Thanks @edwardp — I think I've tried every way to install it except for the .deb, in which .dpkg tells me .dpkg isn't installed.

I've entered the command that tells SELinux to allow the action that it was blocking. This stops the SELinux alert, but doesn't stop the Vivaldi crash. I'll try putting it fully into permissive mode and see how I go.

Oh, and I've tried the snapshot version as well — same result.

edwardp

@PertinentAvocado said in SElinux alert and crash on Fedora:

Thanks @edwardp — I think I've tried every way to install it except for the .deb, in which .dpkg tells me .dpkg isn't installed.

I've entered the command that tells SELinux to allow the action that it was blocking. This stops the SELinux alert, but doesn't stop the Vivaldi crash. I'll try putting it fully into permissive mode and see how I go.

Oh, and I've tried the snapshot version as well — same result.

Fedora doesn't use DEB packages, only RPM.

PertinentAvocado

Thank @edwardp. That'd be why, then! Installing software on Linux sure can be an adventure...

edwardp

@PertinentAvocado said in SElinux alert and crash on Fedora:

Thank @edwardp. That'd be why, then! Installing software on Linux sure can be an adventure...

I fully agree.

edwardp

@PertinentAvocado @51dusty

I would suggest submitting bug reports for this. Instructions for reporting crashes on Linux are on this page. The SELinux issue I had last year, did not involve a crash.

Bug reports can be submitted here. Please post the bug report numbers (VB-xxxxxx) in this thread.

Thank you for helping make Vivaldi better.

DoctorG

In case of using apparmor i found this solution.

PertinentAvocado

According to Hector Martín, the lead Asahi programmer, it's an

Upstream Chromium issue. It's already fixed upstream, Vivaldi just needs to update or backport the patch. This affects all Chromium-based browsers which update to the broken version.

https://issues.chromium.org/issues/378017037

Possible workaround if you can pass arguments to Chromium: --js-flags="--nodecommit_pooled_pages"

Asahi subreddit link

Is it still worth filing a bug? Happy to do so, but if it's a known thing then I don't want to create spam.

mib2berlin

@PertinentAvocado
Hi, in the Chromium report the developer write at Dec 23, 2024:
is this feasible to merge back to M131? or at least M132?
Vivaldi 7.1 is already Chromium 132 so I am not sure if the fix is in Chromium already.
I don't think the Vivaldi developer know this but it doesn't matter, if the fix is in Chromium upstream Vivaldi will get it.

Cheers, mib

OrbitalMartian

I’m running the latest Vivaldi version on Fedora with no issues. I have disabled SELinux though as it does cause a number of issues across a number of software.

yngve

@PertinentAvocado Since it is an upstream issue, there is little we can do about a bug, except resolve it as "Upstream".

The patch (or patches) for this issue are in the V8 Javascript engine, which is definitely one component of Chromium we do not dare touch. It is far to easy to trigger bugs (or worse), and this bug has 9 patches, some for specific branches (probably Chromium 133).

If the Chromium team has decided not to backport that indicates a couple of possible things: 1) they do not consider the bug serious, or 2) while (possibly) serious, they are not sure backporting the patch(es) is safe.

I am definitely not going to backport these patches. Sorry.

PertinentAvocado

Thanks @yngve — completely understand, backporting was Marcan's suggestion, not mine. Hopefully a fix filters through soon.