Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1596191

Summary: Firefox tab crashes upon launch, not recoverable
Product: Red Hat Enterprise Linux 7 Reporter: Gerrit Slomma <gerrit.slomma>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED WORKSFORME QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.5CC: gerrit.slomma
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-04 11:52:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
firefox kicks the bucket none

Description Gerrit Slomma 2018-06-28 12:05:53 UTC 
Description of problem:

Upon launching firefox the newly opened tab crashes.
Recover via "recover this tab" (localized "Diesen Tab wiederherstellen") everytime yields the same result.

Version-Release number of selected component (if applicable):

firefox 52.7.0-1.el7_4

How reproducible:

Start firefox on the console, logged in via ssh, x-window forwarded to Windows-Client via Xming 6.9.0.31

Steps to Reproduce:
1. start firefox
2. experience crash page
3. try tab recovery
4. experience the same crash page over and over and over again

Actual results:

Get a crash page.

Expected results:

Get a about:blank

Additional info:

This is true for the standard start page file:///usr/share/doc/HTML/index.html as well for a page on a JBoss run on localhost, see screenshot.
Seems to have something to do with selinux:

Jun 28 13:47:04 B0164529.entw.bund.drv dbus[794]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jun 28 13:47:05 B0164529.entw.bund.drv dbus[794]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jun 28 13:47:05 B0164529.entw.bund.drv setroubleshoot: failed to retrieve rpm info for mozplugger
Jun 28 13:47:05 B0164529.entw.bund.drv setroubleshoot: failed to retrieve rpm info for spice-xpi
Jun 28 13:47:05 B0164529.entw.bund.drv setroubleshoot: failed to retrieve rpm info for mozplugger
Jun 28 13:47:05 B0164529.entw.bund.drv setroubleshoot: SELinux is preventing /usr/lib64/firefox/plugin-container from name_connect access on the tcp_socket port 6010. For complete SELinux messages run: sealert -l caf16162-5e40-426c-b5ca-7d65d0d3b36b
Jun 28 13:47:05 B0164529.entw.bund.drv python: SELinux is preventing /usr/lib64/firefox/plugin-container from name_connect access on the tcp_socket port 6010.#012#012*****  Plugin mozplugger (89.7 confidence) suggests   ************************#012#012If you want to use the plugin package#012Then you must turn off SELinux controls on the Firefox plugins.#012Do#012# setsebool -P unconfined_mozilla_plugin_transition 0#012#012*****  Plugin catchall_boolean (10.0 confidence) suggests   ******************#012#012If you want to allow mozilla to plugin can network connect#012Then you must tell SELinux about this by enabling the 'mozilla_plugin_can_network_connect' boolean.#012#012Do#012setsebool -P mozilla_plugin_can_network_connect 1#012#012*****  Plugin catchall (1.69 confidence) suggests   **************************#012#012If you believe that plugin-container should be allowed name_connect access on the port 6010 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine#012# semodule -i my-plugincontaine.pp#012
Jun 28 13:47:11 B0164529.entw.bund.drv setroubleshoot: failed to retrieve rpm info for mozplugger
Jun 28 13:47:11 B0164529.entw.bund.drv setroubleshoot: failed to retrieve rpm info for spice-xpi
Jun 28 13:47:11 B0164529.entw.bund.drv setroubleshoot: failed to retrieve rpm info for mozplugger
Jun 28 13:47:11 B0164529.entw.bund.drv setroubleshoot: SELinux is preventing /usr/lib64/firefox/plugin-container from name_connect access on the tcp_socket port 6010. For complete SELinux messages run: sealert -l caf16162-5e40-426c-b5ca-7d65d0d3b36b
Jun 28 13:47:11 B0164529.entw.bund.drv python: SELinux is preventing /usr/lib64/firefox/plugin-container from name_connect access on the tcp_socket port 6010.#012#012*****  Plugin mozplugger (89.7 confidence) suggests   ************************#012#012If you want to use the plugin package#012Then you must turn off SELinux controls on the Firefox plugins.#012Do#012# setsebool -P unconfined_mozilla_plugin_transition 0#012#012*****  Plugin catchall_boolean (10.0 confidence) suggests   ******************#012#012If you want to allow mozilla to plugin can network connect#012Then you must tell SELinux about this by enabling the 'mozilla_plugin_can_network_connect' boolean.#012#012Do#012setsebool -P mozilla_plugin_can_network_connect 1#012#012*****  Plugin catchall (1.69 confidence) suggests   **************************#012#012If you believe that plugin-container should be allowed name_connect access on the port 6010 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine#012# semodule -i my-plugincontaine.pp#012
Jun 28 13:47:14 B0164529.entw.bund.drv setroubleshoot: failed to retrieve rpm info for mozplugger
Jun 28 13:47:14 B0164529.entw.bund.drv setroubleshoot: failed to retrieve rpm info for spice-xpi
Jun 28 13:47:14 B0164529.entw.bund.drv setroubleshoot: failed to retrieve rpm info for mozplugger
Jun 28 13:47:14 B0164529.entw.bund.drv setroubleshoot: SELinux is preventing /usr/lib64/firefox/plugin-container from name_connect access on the tcp_socket port 6010. For complete SELinux messages run: sealert -l caf16162-5e40-426c-b5ca-7d65d0d3b36b
Jun 28 13:47:14 B0164529.entw.bund.drv python: SELinux is preventing /usr/lib64/firefox/plugin-container from name_connect access on the tcp_socket port 6010.#012#012*****  Plugin mozplugger (89.7 confidence) suggests   ************************#012#012If you want to use the plugin package#012Then you must turn off SELinux controls on the Firefox plugins.#012Do#012# setsebool -P unconfined_mozilla_plugin_transition 0#012#012*****  Plugin catchall_boolean (10.0 confidence) suggests   ******************#012#012If you want to allow mozilla to plugin can network connect#012Then you must tell SELinux about this by enabling the 'mozilla_plugin_can_network_connect' boolean.#012#012Do#012setsebool -P mozilla_plugin_can_network_connect 1#012#012*****  Plugin catchall (1.69 confidence) suggests   **************************#012#012If you believe that plugin-container should be allowed name_connect access on the port 6010 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine#012# semodule -i my-plugincontaine.pp#012

[root@B0164529 ~]# sealert -l caf16162-5e40-426c-b5ca-7d65d0d3b36b
SELinux hindert /usr/lib64/firefox/plugin-container daran, mit name_connect-Zugriff auf tcp_socket port 6010 zuzugreifen.

*****  Plugin mozplugger (89.7 Wahrscheinlichkeit) schlägt vor    ************

If you want to use the plugin package
Dannsie müssen die SELinux-Überwachung der Firefox-Plugins ausschalten.
Ausführen
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall_boolean (10.0 Wahrscheinlichkeit) schlägt vor    ******

Sie folgendes tun möchten: allow mozilla to plugin can network connect
Dannsie müssen SELinux darüber benachrichtigen, indem Sie die   boolesche Variable »mozilla_plugin_can_network_connect« aktivieren.

Ausführen
setsebool -P mozilla_plugin_can_network_connect 1

*****  Plugin catchall (1.69 Wahrscheinlichkeit) schlägt vor    **************

If you believe that plugin-container should be allowed name_connect access on the port 6010 tcp_socket by default.
Dannsie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Ausführen
allow this access for now by executing:
# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine
# semodule -i my-plugincontaine.pp


zusätzliche Information:
Quellkontext                  unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Zielkontext                   system_u:object_r:xserver_port_t:s0
Zielobjekte                   port 6010 [ tcp_socket ]
Quelle                        plugin-containe
Quellpfad                     /usr/lib64/firefox/plugin-container
Port                          6010
Host                          B0164529.entw.bund.drv
RPM-Pakete der Quelle
RPM-Pakete des Ziels
Richtlinien-RPM               selinux-policy-3.13.1-192.el7.noarch
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Enforcing
Rechnername                   B0164529.entw.bund.drv
Plattform                     Linux B0164529.entw.bund.drv 3.10.0-862.el7.x86_64
                              #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64
Anzahl der Alarme             21
Zuerst gesehen                2018-05-23 10:10:44 CEST
Zuletzt gesehen               2018-06-28 13:47:11 CEST
Lokale ID                     caf16162-5e40-426c-b5ca-7d65d0d3b36b

Raw-Audit-Meldungen
type=AVC msg=audit(1530186431.482:100384): avc:  denied  { name_connect } for  pid=31360 comm="plugin-containe" dest=6010 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket


Hash: plugin-containe,mozilla_plugin_t,xserver_port_t,tcp_socket,name_connect

Seems to be working flawless when at the server-connected monitor in the datacenter.

besides: Some of the german translations are rather clumsy and do not make a good reading.
Comment 2 Gerrit Slomma 2018-06-28 12:06:54 UTC 
Created attachment 1455278 [details]
firefox kicks the bucket
Comment 3 Martin Stransky 2018-07-03 06:41:18 UTC 
Please retest with the latest 60.1.0 package.
Comment 4 Gerrit Slomma 2018-07-04 11:00:02 UTC 
Seems to be working with firefox.x86_64 0:60.1.0-4.el7_5
Tested on two previously affected systems, bot working fine.
Comment 5 Martin Stransky 2018-07-04 11:52:23 UTC 
Closing, Thanks.