gdrewb-valve
commented
8 years ago Possible Steam runtime incompatibility issue.
Closed HarleyGaniere closed 6 months ago
gdrewb-valve
commented
8 years ago Possible Steam runtime incompatibility issue.
Tele42
commented
8 years ago Looks like a continuation of https://github.com/ValveSoftware/steam-for-linux/issues/43 to me. LibMiles has a hard time with selinux.
HarleyGaniere
commented
8 years ago @Tele42 Now that you mention it, I have opened SELinux Alert Browser and was greeted with this.
SELinuxhas detected a problem.
The source process: hl2_linux
Attempted this access: execheap
SELinux is preventing hl2_linux from using the execheap access on a process.
***** Plugin allow_execheap (53.1 confidence) suggests ********************
If you do not think hl2_linux should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.
Plugin catchall_boolean (42.6 confidence) suggests
If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.
You can read 'None' man page for more details.
Do
setsebool -P selinuxuser_execheap 1
Plugin catchall (5.76 confidence) suggests
If you believe that hl2_linux should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux
semodule -X 300 -i my-hl2linux.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects Unknown [ process ]
Source hl2_linux
Source Path hl2_linux
Port <Unknown>
Host aurora-242
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-191.5.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name aurora-242
Platform Linux aurora-242 4.7.0-0.rc7.git4.2.fc25.x86_64 #1
SMP Tue Jul 19 15:56:43 UTC 2016 x86_64 x86_64
Alert Count 2
First Seen 2016-07-28 08:57:38 EDT
Last Seen 2016-07-28 09:28:37 EDT
Local ID 1693be0f-7692-47af-8f54-0e59a9d0b0ba
Raw Audit Messages
type=AVC msg=audit(1469712517.246:1943): avc: denied { execheap } for pid=19480
comm="hl2_linux" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: hl2_linux,unconfined_t,unconfined_t,process,execheap`
cob16
commented
7 years ago Still exists as of 08/14/2017 on Fadora 26. Current workaround in https://github.com/ValveSoftware/steam-for-linux/issues/43
h1z1
commented
6 years ago Still exists as of 10/10/2017.
eiglow
commented
4 years ago Using the Steam Linux Runtime, the issue still appears.
ohhai
commented
3 years ago I also have SELinux errors about execheap access of hl2_linux process:
type=AVC msg=audit(1619827374.239:701): avc: denied { execheap } for pid=33541 comm="hl2_linux" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
Spowmtom
commented
3 years ago My AVC denial code is:
type=AVC msg=audit(1626208128.915:2728): avc: denied { execheap } for pid=851460 comm="hl2_linux" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
When I pass it through Sealert, I get this:
SELinux is preventing hl2_linux from using the execheap access on a process.
***** Plugin allow_execheap (53.1 confidence) suggests ********************
If you do not think hl2_linux should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests ******************
If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.
Do
setsebool -P selinuxuser_execheap 1
***** Plugin catchall (5.76 confidence) suggests **************************
If you believe that hl2_linux should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux
# semodule -X 300 -i my-hl2linux.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects Unknown [ process ]
Source hl2_linux
Source Path hl2_linux
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.13-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.13-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fedora
Platform Linux fedora 5.12.14-300.fc34.x86_64 #1 SMP Wed
Jun 30 18:30:21 UTC 2021 x86_64 x86_64
Alert Count 2
First Seen 2021-07-13 16:28:48 EDT
Last Seen 2021-07-13 16:35:48 EDT
Local ID 2ad82736-edf4-4410-8710-505061c1aa93
Raw Audit Messages
type=AVC msg=audit(1626208548.811:2753): avc: denied { execheap } for pid=851963 comm="hl2_linux" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: hl2_linux,unconfined_t,unconfined_t,process,execheapSo I did what it suggested, ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux and then semodule -i my-hl2linux.pp and it works! Team Fortress 2 can play music and voice lines without totally disabling SELinux.
GuilleDF
commented
2 years ago Not sure if it's related to this, but I had a similar issue and I resolved it by deleting all of the .cache files in the TF2 folder
EntityinArray
commented
2 years ago I had this issue when playing TF2 on Linux.
Turns out this problem was caused by SELinux. I managed to fix it by allowing execheap permission with this command:
sudo setsebool -P selinuxuser_execheap 1
Looks like TF2 executes code from the heap in order to play MP3 files, which is insecure and gets blocked by SELinux.
aaalloc
commented
2 years ago I had this issue when playing TF2 on Linux. Turns out this problem was caused by SELinux. I managed to fix it by allowing execheap permission with this command:
sudo setsebool -P selinuxuser_execheap 1Looks like TF2 executes code from the heap in order to play MP3 files, which is insecure and gets blocked by SELinux.
this worked for me.
egirlcatnip
commented
2 years ago THANK YOU @EntityinArray
gridlocdev
commented
1 year ago If you are using Fedora or a Fedora-based Linux distribution, chances are that this issue is from SELinux (Security Enhanced Linux), which is a beneficial bonus layer of security for your computer.
From what I've gathered so far, the Miles Sound System that is used by Source engine games (including TF2) has an unpatched ACE vulnerability which allows it to both write and execute data in memory on the heap. In Fedora's case SELinux blocks this (because it should), which prevents audio files from loading.
Previous answers suggest using setsebool -P selinux_execheap 1, but please be aware that this is a bad idea because this would allow any program that uses execheap to run arbitrary code on your computer, not just TF2. To undo this, just set the boolean back to default with setsebool -P selinux_execheap 0.
Instead, I suggest you use the following workaround instead like @Spowmtom and I did, which only whitelists this behavior for games that run on the Source engine, such as TF2.
ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux
semodule -i my-hl2linux.ppHere is a brief explanation of what the above snippet does:
Here is an expanded description of each command:
ausearch -c 'hl2_linux' --raw: Displays the unformatted information for 'hl2_linux' in the system audit daemon logsaudit2allow -M my-hl2linux: From the above denied system operations that were piped in, generates a loadable policy module file (.pp) named 'my-hl2linux' in the current directorysemodule -i my-hl2linux.pp: Installs the SELinux policy module file named 'my-hl2-linux.pp'If you want to roll back and remove the security exception this has added for TF2, you can run the following command:
semodule -r my-hl2linux: Removes the module from the SELinux policy rules
starkle
commented
1 year ago If you don't want to tamper with SELinux, forcing the game to use Proton may work around the issue as well. I was able get Portal working this way, at least.
You may need to set this before downloading / installing the game. Hopefully this gets fixed soon so users aren't misled into compromising SELinux.
GuilleDF
commented
1 year ago IIRC TF2 doesn't let you connect to any server when run through proton, unfortunately 😞
KyleGospo
commented
1 year ago If you are using Fedora or a Fedora-based Linux distribution, chances are that this issue is from SELinux (Security Enhanced Linux), which is a beneficial bonus layer of security for your computer.
Thank you for this, I went ahead and created a Copr repo that provides this same change as an RPM package if anyone would rather go that route. Naturally if this issue is ever resolved I'll push an update that removes the SELinux rule and eventually delete the repository.
You can grab that here if you're interested.
HarleyGaniere
commented
1 year ago If you are using Fedora or a Fedora-based Linux distribution, chances are that this issue is from SELinux (Security Enhanced Linux), which is a beneficial bonus layer of security for your computer.
Thank you for this, I went ahead and created a Copr repo that provides this same change as an RPM package if anyone would rather go that route. Naturally if this issue is ever resolved I'll push an update that removes the SELinux rule and eventually delete the repository.
You can grab that here if you're interested.
Wonderfully done, this is the best workaround I've seen yet.
If anyone sees this post in the future, use the COPR repo @KyleGospo provided as it is the easiest and most desirable method of patching the issue until something upstream happens. The only other known method is to allow excheap to run through SELinux manually as discussed further above. If one chooses to make the changes manually, the ideal method was beautifully explained by @gridlocdev.
The COPR repo is an easy method to manage and can be reverted easily if desired. The COPR repo should be especially useful for those on immutable (Silverblue) Fedora installations as when changed manually the SELinux policy reverts during upgrades, at least it did in my experience migrating from Fedora Silverblue 36 to 37.
ashquarky
commented
1 year ago Hi @KyleGospo, thanks for the repo! unfortunately it didn't seem to work for me (F37 Workstation), even after a reboot, however running the commands manually in a terminal worked immediately. Is there some additional install or enable step beyond just installing the hl2linux-selinux package?
KyleGospo
commented
1 year ago Hi @KyleGospo, thanks for the repo! unfortunately it didn't seem to work for me (F37 Workstation), even after a reboot, however running the commands manually in a terminal worked immediately. Is there some additional install or enable step beyond just installing the
hl2linux-selinuxpackage?
It should work exactly as you described, are you using Flatpak Steam?
jolty1
commented
7 months ago Is anyone able to try the new x64_linux_test beta branch for TF2 ? Some libraries like SDL have been updated. SELinux workarounds may not be required now.
I am currently not on Fedora to try myself.
Joshua-Ashton
commented
6 months ago This is fixed in the x64_linux_test branch as Miles is no longer used for MP3 playback.
HarleyGaniere
commented
6 months ago Howdy,
As @Joshua-Ashton stated:
This is fixed in the x64_linux_test branch as Miles is no longer used for MP3 playback.
Currently, there is a 64-bit beta for Team Fortress 2, accessible in Properties -> Betas -> x64_test, which addresses the missing audio issue not only in Fedora but also in Fedora Silverblue (Flatpak), as well as in all SELinux-based distros I've tested. Multiplayer is not yet available in the 64-bit beta, so please be patient until a full release is issued.
I am finally closing this issue (nearly 8 years after my initial report, WOO!!!) as there is now an official fix implemented. :smiley: :tada:
In the meantime, until the 64-bit beta becomes stable, if anyone is looking to play the 32-bit version as it is currently, to fix follow @KyleGospo's COPR repo
Mutable/Workstation
sudo dnf copr enable kylegospo/hl2linux-selinux
sudo dnf install hl2linux-selinux
Immutable/Silverblue
sudo wget https://copr.fedorainfracloud.org/coprs/kylegospo/hl2linux-selinux/repo/fedora-$(rpm -E %fedora)/kylegospo-hl2linux-selinux-fedora-$(rpm -E %fedora).repo -O /etc/yum.repos.d/_copr_kylegospo-hl2linux-selinux.repo
rpm-ostree install hl2linux-selinux
or manually implement as explained by @Spowmtom and @gridlocdev
ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux
semodule -i my-hl2linux.pp
Here's a copy from what is being displayed in the console.
[TF Workshop] Got 0 subscribed maps, 0 new maxplayers set to 24 Error: Material "debug/debugluxels" uses unknown shader "DebugLuxels" Error: Material "_fillrate0" uses unknown shader "FillRate" Error: Material "debugnormalmap_1" uses unknown shader "DebugNormalMap" Error: Material "_debugdrawenvmapmask2" uses unknown shader "DebugDrawEnvmapMask" Error: Material "debugdepth_3" uses unknown shader "DebugDepth" Error: Material "___debugdepth_4" uses unknown shader "DebugDepth" Steam config directory: /storage-1/user/SteamLibrary/steamapps/common/Team Fortress 2/platform/config CClientSteamContext logged on = 1 Cleaning up unneeded replay block data... Replay cleanup done. Loading default settings for high sensitivity Connection to game coordinator established. CTFGCClientSystem::PostInitGC CTFGCClientSystem - adding listener Hiding LobbyContainerFrameHiding LobbyContainerFrameHiding LobbyContainerFrame Can't use cheat cvar fog_start in multiplayer, unless the server has sv_cheats set to 1. Can't use cheat cvar fog_end in multiplayer, unless the server has sv_cheats set to 1. Can't use cheat cvar fog_startskybox in multiplayer, unless the server has sv_cheats set to 1. Can't use cheat cvar fog_endskybox in multiplayer, unless the server has sv_cheats set to 1. Can't use cheat cvar r_farz in multiplayer, unless the server has sv_cheats set to 1. Applying new item schema, version 9B123B70 WARNING Item schema mismatch after update! GC told us to expect 9B123B70, we got 8B53863F Applied updated item schema from GC. 3347980 bytes, version 9B123B70. m_face->glyph->bitmap.width is 0 for ch:32 TF2 Build m_face->glyph->bitmap.width is 0 for ch:32 TF2 m_face->glyph->bitmap.width is 0 for ch:32 DejaVu Sans Failed to create decoder for MP3 [ ui/gamestartup23.mp3 ]
I am running vanilla Fedora 24 with Steam freshly installed. There are no character voices, ambient sound, or music while playing TF2.