Bug 758233 - firefox in sandbox works on i686 but doesn't work on x86_64
Summary: firefox in sandbox works on i686 but doesn't work on x86_64
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 19
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2011-11-29 15:40 UTC by Mads Kiilerich
Modified: 2013-04-24 19:52 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-04-24 19:52:43 UTC
Type: ---

Attachments (Terms of Use)
OpenBox config file (16.14 KB, text/xml)
2013-02-08 20:58 UTC, Peter Åstrand
no flags Details
/usr/share/sandbox/sandboxX.sh (979 bytes, application/x-sh)
2013-02-12 19:27 UTC, Daniel Walsh
no flags Details

Description Mads Kiilerich 2011-11-29 15:40:30 UTC
On several i686 systems I have 
  sandbox -X firefox
starting just fine (without net access).

I haven't seen it start on any of the x86_64 systems I have tried.

The Xephyr window shows up but remains black and with a spinning cursor. ps shows that firefox has a couple of defunct child processes. strace shows that the main process is kind of alive.

Launching firefox outside the sandbox works fine on the x86_64 systems.

Launching other apps such as filezilla or gedit in the sandbox works.

There are no avc's and running permissive makes no difference.

Trying to install i686 userspace on x86_64 makes no difference.

I don't know what kind of bug can cause this behaviour. My best guess would be some kind of low level ABI incompatibility between i686 and x86_64 in some obscure place.


Comment 1 Daniel Walsh 2011-11-29 20:44:03 UTC

sandbox -X -W metacity firefox

For some reason firefox does not like the matchbox window manager.

Comment 2 Mads Kiilerich 2011-11-29 22:48:50 UTC
I will check that. I kind of knew that but had ruled that out since it apparently dependended on the platform.

I obviously have both metacity (required by gdm) and matchbox-window-manager (required by policycoreutils-sandbox), both on i686 and x86_64.

That leaves the questions:

Is it only on x86_64 that sandbox+firefox+matchbox is a problem?

(And of course: What is the problem really.)

Finally: Would it be possible for sandbox to use metacity by default when it already is a dependency of gdm and thus avoid the dependency to matchbox?

Comment 3 Daniel Walsh 2011-11-30 17:19:59 UTC
Well the benefit of matchbox versus metacity is it runs apps automatically in full screen mode.  If we could get metacity to have a option to run apps this way, I would run away from matchbox very quickly.

I am looking for the app to look like it is running as a local app rather then in a different desktop.  Apps like openoffice and evince run real well in this environment.  Only Firefox seems to blow up.

You can also see this by executing

sandbox -X xterm

Then in the sandbox run firefox.

Comment 4 Mads Kiilerich 2011-11-30 18:57:57 UTC
I filed a matchbox issue:
Bug 758733 - Problems running firefox with matchbox under Xephyr

Comment 5 Daniel Walsh 2011-11-30 19:11:19 UTC
Sadly I am the matchbox maintainer, since we are the only user, and I have no idea how to debug the issue...

Comment 6 Peter Åstrand 2012-09-10 10:01:38 UTC
(In reply to comment #5)
> Sadly I am the matchbox maintainer, since we are the only user, and I have
> no idea how to debug the issue...

This seems to be a 64 bit issue, but somehow also related to versions or possibly configure flags. On usdemo.thinlinc.com (64-bit RHEL6, provided package), Firefox works with Matchbox without problems. On eudemo.thinlinc.com (64-bit RHEL5, manual build), Firefox launch only worked occasionally. Very often no window was created at all. Sometimes a small and gray window was created. After rebuilding Matchbox as a 32-bit application using CFLAGS="-m32", it works correctly. If you want to investigate, you can create an account on http://www.cendio.com/testdrive/.

Comment 7 Fedora End Of Life 2013-01-16 13:26:16 UTC
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 

Comment 8 Daniel Walsh 2013-02-08 18:00:08 UTC
Are you still seeing this problem in F17 or F18?

Comment 9 Peter Åstrand 2013-02-08 18:07:58 UTC
We gave up on Matchbox. The upstream project is gone. We are using OpenBox instead.

Comment 10 Daniel Walsh 2013-02-08 19:37:24 UTC
Can you get openbox to run apps in full screen mode?

Comment 11 Peter Åstrand 2013-02-08 20:58:53 UTC
Created attachment 695232 [details]
OpenBox config file

This is the OpenBox config file we are using for the ThinLinc single application publishing. The last part of the file activates maximized mode for all normal windows. Fullscreen should be possible as well, but we haven't tested that. Please note that you have to remove the "V" from titleLayout in order to use it with upstream OpenBox.

Comment 12 Daniel Walsh 2013-02-12 19:27:02 UTC
Created attachment 696595 [details]

Please use this sandboxX.sh and try it out with openbox.  My only problem with this is the application seems to be starting slow.

Comment 13 Fedora End Of Life 2013-02-13 14:14:19 UTC
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 14 Daniel Walsh 2013-02-14 13:53:12 UTC
Changing to OpenBox in Fedora 19.

Comment 15 Fedora End Of Life 2013-04-03 19:20:06 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:

Note You need to log in before you can comment on or make changes to this bug.