Team Fortress 2 on Fedora requires selinux execheap enabled

[richmattes]

Running steam from Spot's repo on Fedora 18 x86_64. Team Fortress 2 crashes immediately after launching due to a conflict with selinux. The game requires the selinux to allow executable heap memory, which is disallowed by default.

To work around, one can disable selinux entirely, or use setsebool to allow executable heap memory as follows:

su -c "setsebool -P allow_execheap 1"

[ghost]

Fedora is not a support distribution only Ubuntu 12.04 LTS is.

[mikesart]

It shouldn't crash anymore. But you won't get any mp3 audio as the decoder can't JIT.

[rhatdan]

This blog explains what execheap is, http://www.akkadia.org/drepper/selinux-mem.html

I see almost no code that needs execheap which is why it is off by default.

[cmanso]

I still have this problem on Fedora18 i686

[Fale]

On Fedora 21 the problem is still present, please fix it!

[ariscop]

Is there any particular reason the mp3 decoder requires memory that's both writable and executable?

[Fale]

@ariscop probably just bad written code... as the 99.9% of problems reported by SELinux

[sheepdestroyer]

still same problem with hl2 on fedora fc22, would be nice to fix...

[marcosps]

+1 here...

Please Valve guys, a lot of other Linux distros are using Steam right now, and these people are trying to help you to make a good with games :)

Please, help us to help you!

[rhatdan]

Could ask the workstation guys to turn this on by default for workstation distribution. Should probably be off in server and cloud editions. Since they are unlikely to run desktop apps.

[Fale]

@rhatdan I strongly disagree with this. There is no sane reason for Team Fortress to do so, so it should not do it nor on the servers nor on the workstations.

[rhatdan]

I am just looking at practicality here. Is this a problem with steam or the games that people install. It has always been argued about whether we should confine the unconfined domain. I talked about this back in 2009

http://danwalsh.livejournal.com/30084.html

[Fale]

The practality is suggested in the first post (aka: workaround) but please DO NOT suggest to reduce the default security level just because someone is too lazy to fix it's own code...

[cob16]

• Still here in 2017 on Fedora 26!
• @jpgr87 your my hero, thanks for the workaround!

Anyone know a more elegant solution than this global disable? Can you enable this setting for only tf2?

[h1z1]

Utter and complete insanity this thing still exists from 2013. Btw, that lib is exploitable.

No way am I running without this enabled.

[ZenIsFluffy]

Still exists on Fedora 29 & 30. Not present on Pop_OS. Haven't gotten a chance to try other operating systems. Crazy this is still an issue.

[ariscop]

@ThatGeekZen The issue has been moved here https://github.com/ValveSoftware/Source-1-Games/issues/2734

This issue will happen on any system with the selinux property allow_execheap set to 0, or any system with similar W^X restrictions. The consoles tf2 was released on do enforce W^X but rather than fix the decoder they likely omit mp3 support for those builds, using ogg or perhaps even wma on the xbox instead

[Spowmtom]

A year later, still a thing!

[ohhai]

As just a workaround, it's possible to allow hl2_linux to do execheap with something like this (requires related error messages to be present in log?):

# ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux
# semodule -X 300 -i my-hl2linux.pp

[ugurcansayan]

Bump

Also the workaround don't help anymore, it just fails to create mp3 now and spam the console with the error.

[ohhai]

Also the workaround don't help anymore, it just fails to create mp3 now and spam the console with the error.

The option to tune selinux / allow execheap for specific process - should work anyway.

I would switch selinux temporary from enforcing to permissive (echo 0 > /sys/fs/selinux/enforce) and check mp3 creation again.

[Spowmtom]

As just a workaround, it's possible to allow hl2_linux to do execheap with something like this (requires related error messages to be present in log?):

# ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux
# semodule -X 300 -i my-hl2linux.pp

It works!

[RolandMarchand]

Also the workaround don't help anymore, it just fails to create mp3 now and spam the console with the error.

The option to tune selinux / allow execheap for specific process - should work anyway.

I would switch selinux temporary from enforcing to permissive (echo 0 > /sys/fs/selinux/enforce) and check mp3 creation again.

I recommend using the command setenforce permissive.

[Fale]

I recommend using the command setenforce permissive.

This is against distribution and industry best practices, so probably not the best recommendation

[orowith2os]

Giving some Valve games a try on Fedora Silverblue with SELinux enabled, it doesn't seem to have this issue, I can't recall setting the execheap permission, but everything works just fine. I am also running Steam through distrobox, with rootless podman, so that might help.

In any case, the method ohhai suggested to allow hl2_linux to use execheap should work, rather than setting selinux to permissive. If I have any issues with it, I'll give it a try.

[tulilirockz]

Giving some Valve games a try on Fedora Silverblue with SELinux enabled, it doesn't seem to have this issue, I can't recall setting the execheap permission, but everything works just fine. I am also running Steam through distrobox, with rootless podman, so that might help.

In any case, the method ohhai suggested to allow hl2_linux to use execheap should work, rather than setting selinux to permissive. If I have any issues with it, I'll give it a try.

It works because distrobox clears your SELinux issues, if you ran Steam through flatpak it most likely would not work as well :( - Still, the best fix right now is that ausearch one