search

snapcrafters / signal-desktop

Unofficial Signal Desktop installer for Linux
https://snapcraft.io/signal-desktop
GNU Affero General Public License v3.0
33 stars 15 forks source link

[Bug]: failure to launch and concurrent SELinux warning #296

Closed aarek-eng closed 2 weeks ago

aarek-eng commented 1 month ago

What happened?

On Fedora 40, under Gnome DE, I clicked on the Signal-Desktop menu icon, and it failed to launch. Immediately, a SELinux alert appeared. I'm not certain whether the two are related, but I see no other reason why it popped up where it did. Here's the detail:

SELinux is preventing wine-preloader from using the execheap access on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think wine-preloader should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that wine-preloader should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader
# semodule -X 300 -i my-winepreloader.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        wine-preloader
Source Path                   wine-preloader
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.23-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.23-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 6.9.7-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jun 27 18:11:45 UTC 2024
                              x86_64
Alert Count                   604
First Seen                    2024-06-28 00:07:55 CEST
Last Seen                     2024-07-12 15:19:35 CEST
Local ID                      d3e577ff-f396-466e-a576-8f1ff4500aa7

Raw Audit Messages
type=AVC msg=audit(1720790375.846:797): avc:  denied  { execheap } for  pid=46438 comm="signal-desktop" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap

What should have happened?

When I clicked on the signal-desktop icon, the app should have launched normally.

Output of snap info $snap_name

user@localhost:~$ snap info signal-desktop
name:      signal-desktop
summary:   Speak Freely - Private Messenger
publisher: Snapcrafters✪
store-url: https://snapcraft.io/signal-desktop
contact:   https://github.com//snapcrafters/signal-desktop/issues
license:   AGPL-3.0-only
description: |
  **Note: To use the Signal desktop app, you must first install Signal on
  your phone.**

  Millions of people use Signal every day for free and instantaneous
  communication anywhere in the world. Send and receive high-fidelity
  messages, participate in HD voice/video calls, and explore a growing set
  of new features that help you stay connected. Signal's advanced
  privacy-preserving technology is always enabled, so you can focus on
  sharing the moments that matter with the people who matter to you.

  - Say anything - State-of-the-art end-to-end encryption (powered by the
  open source Signal Protocol™) keeps your conversations secure. Privacy
  isn't an optional mode; it's just the way that Signal works. Every
  message, every call, every time.
  - Go fast - Messages are delivered quickly and reliably, even on slow
  networks. Signal is optimized to operate in the most constrained
  environment possible.
  - Feel free - Signal is a completely independent 501c3 nonprofit.
  Development is supported by users like you. No advertisements. No
  trackers. No kidding.
  - Be yourself - You can use your existing phone number and address book
  to securely communicate with your friends.
  - Speak up - Whether they live across town or across the ocean, Signal's
  enhanced audio and video quality will make your friends and family feel
  closer.
  - Whisper in the shadows - Switch to the dark theme if you refuse to see
  the light.

  **Minimize to tray**

  Per the request of the Signal developers, this snap does not use the
  system tray by default. This is disabled by default per the request of
  the Signal developers, because system tray support is not stable. Set to
  `false`, Signal will stop when you close it and will not have a system
  tray icon. You can enable it by running the following command.

      snap set signal-desktop tray-icon=true

  **Are you having issues?**

  Let us know by creating a new issue here:
  https://github.com/snapcrafters/signal-desktop/issues

  **Authors**

  This snap is maintained by the Snapcrafters community, and is not
  necessarily endorsed or officially maintained by the upstream developers.
commands:
  - signal-desktop
snap-id:      r4LxMVp7zWramXsJQAKdamxy6TAWlaDD
tracking:     latest/stable
refresh-date: 6 days ago, at 21:58 CEST
channels:
  latest/stable:    7.15.0 2024-07-04 (671) 196MB -
  latest/candidate: 7.15.0 2024-07-04 (671) 196MB -
  latest/beta:      ↑                             
  latest/edge:      ↑                             
installed:          7.15.0            (671) 196MB -

Output of snap connections $snap_name

user@localhost:~$ snap connections signal-desktop
Interface               Plug                                   Slot                            Notes
audio-playback          signal-desktop:audio-playback          :audio-playback                 -
audio-record            signal-desktop:audio-record            :audio-record                   -
browser-support         signal-desktop:browser-support         :browser-support                -
camera                  signal-desktop:camera                  :camera                         -
content[gnome-42-2204]  signal-desktop:gnome-42-2204           gnome-42-2204:gnome-42-2204     -
content[gtk-3-themes]   signal-desktop:gtk-3-themes            gtk-common-themes:gtk-3-themes  -
content[icon-themes]    signal-desktop:icon-themes             gtk-common-themes:icon-themes   -
content[sound-themes]   signal-desktop:sound-themes            gtk-common-themes:sound-themes  -
desktop                 signal-desktop:desktop                 :desktop                        -
desktop-legacy          signal-desktop:desktop-legacy          :desktop-legacy                 -
gsettings               signal-desktop:gsettings               :gsettings                      -
home                    signal-desktop:home                    :home                           -
network                 signal-desktop:network                 :network                        -
opengl                  signal-desktop:opengl                  :opengl                         -
removable-media         signal-desktop:removable-media         -                               -
screen-inhibit-control  signal-desktop:screen-inhibit-control  :screen-inhibit-control         -
unity7                  signal-desktop:unity7                  :unity7                         -
wayland                 signal-desktop:wayland                 :wayland                        -
x11                     signal-desktop:x11                     :x11                            -

Output of snap version

user@localhost:~$ snap version
snap    2.63-0.fc40
snapd   2.63-0.fc40
series  16
fedora  40
kernel  6.9.7-200.fc40.x86_64

Relevant log output

No response

Teminal output of app

When run from the terminal emulator, however, `signal-desktop` appears to run just fine, with no SELinux error popping up. However, there were still errors:

user@localhost:~$ signal-desktop
Set Windows Application User Model ID (AUMID) { AUMID: 'org.whispersystems.signal-desktop' }
NODE_ENV production
NODE_CONFIG_DIR /snap/signal-desktop/671/opt/Signal/resources/app.asar/config
NODE_CONFIG {}
ALLOW_CONFIG_MUTATIONS undefined
HOSTNAME localhost
NODE_APP_INSTANCE undefined
SUPPRESS_NO_CONFIG_WARNING undefined
SIGNAL_ENABLE_HTTP undefined
userData: /home/user/snap/signal-desktop/671/.config/Signal
config/get: Successfully read user config file
config/get: Successfully read ephemeral config file
making app single instance
Error org.freedesktop.DBus.Error.Failed: cannot find desktop file "/var/lib/snapd/desktop/applications/signal-desktop_signal.desktop"
Error org.freedesktop.DBus.Error.Failed: cannot find desktop file "/var/lib/snapd/desktop/applications/signal-desktop_signal.desktop"
Gtk-Message: 15:29:13.498: Failed to load module "xapp-gtk3-module"

(signal-desktop:47363): Gtk-WARNING **: 15:29:13.613: GTK+ module /snap/signal-desktop/671/gnome-platform/usr/lib/gtk-2.0/modules/libcanberra-gtk-module.so cannot be loaded.
GTK+ 2.x symbols detected. Using GTK+ 2.x and GTK+ 3 in the same process is not supported.
Gtk-Message: 15:29:13.613: Failed to load module "canberra-gtk-module"
Gtk-Message: 15:29:13.614: Failed to load module "pk-gtk-module"

(signal-desktop:47363): Gtk-WARNING **: 15:29:13.623: GTK+ module /snap/signal-desktop/671/gnome-platform/usr/lib/gtk-2.0/modules/libcanberra-gtk-module.so cannot be loaded.
GTK+ 2.x symbols detected. Using GTK+ 2.x and GTK+ 3 in the same process is not supported.
Gtk-Message: 15:29:13.623: Failed to load module "canberra-gtk-module"
Gtk-Message: 15:29:13.624: Failed to load module "pk-gtk-module"
Warning: build/dns-fallback.json not build, run `yarn generate`
{"level":30,"time":"2024-07-12T13:29:14.109Z","msg":"got fast localeOverride setting null"}
{"level":30,"time":"2024-07-12T13:29:14.110Z","msg":"app.ready: hour cycle preference: UnknownPreference"}
{"level":30,"time":"2024-07-12T13:29:14.111Z","msg":"app.ready: preferred system locales: en-US, en"}
{"level":30,"time":"2024-07-12T13:29:14.111Z","msg":"locale: Supported locales: af-ZA, ar, az-AZ, bg-BG, bn-BD, bs-BA, ca, cs, da, de, el, en, es, et-EE, eu, fa-IR, fi, fr, ga-IE, gl-ES, gu-IN, he, hi-IN, hr-HR, hu, id, it, ja, ka-GE, kk-KZ, km-KH, kn-IN, ko, ky-KG, lt-LT, lv-LV, mk-MK, ml-IN, mr-IN, ms, my, nb, nl, pa-IN, pl, pt-BR, pt-PT, ro-RO, ru, sk-SK, sl-SI, sq-AL, sr, sv, sw, ta-IN, te-IN, th, tl-PH, tr, ug, uk-UA, ur, vi, yue, zh-CN, zh-HK, zh-Hant"}
{"level":30,"time":"2024-07-12T13:29:14.111Z","msg":"locale: Preferred locales: en-US, en"}
{"level":30,"time":"2024-07-12T13:29:14.112Z","msg":"locale: Locale Override: null"}
{"level":30,"time":"2024-07-12T13:29:14.115Z","msg":"locale: Matched locale: en"}
{"level":40,"time":"2024-07-12T13:29:14.209Z","msg":"intl.onWarn [@formatjs/intl] \"defaultRichTextElements\" was specified but \"message\" was not pre-compiled. \nPlease consider using \"@formatjs/cli\" to pre-compile your messages for performance.\nFor more details see https://formatjs.io/docs/getting-started/message-distribution"}
{"level":30,"time":"2024-07-12T13:29:14.209Z","msg":"locale: Text info direction for en: ltr"}
{"level":30,"time":"2024-07-12T13:29:14.210Z","msg":"getSystemTraySetting got value DoNotUseSystemTray"}
{"level":30,"time":"2024-07-12T13:29:14.210Z","msg":"getSystemTraySetting returning DoNotUseSystemTray"}
{"level":30,"time":"2024-07-12T13:29:14.221Z","msg":"app ready"}
{"level":30,"time":"2024-07-12T13:29:14.222Z","msg":"starting version 7.15.0"}
{"level":30,"time":"2024-07-12T13:29:14.222Z","msg":"media access status [object Undefined] [object Undefined]"}
{"level":30,"time":"2024-07-12T13:29:14.224Z","msg":"got fast theme-setting value system"}
{"level":40,"time":"2024-07-12T13:29:14.225Z","msg":"MainSQL: Database log code=283: recovered 885 frames from WAL file [REDACTED]/sql/db.sqlite-wal"}
{"level":30,"time":"2024-07-12T13:29:14.225Z","msg":"MainSQL: updateSchema:\n  Current user_version: 1080;\n  Most recent db schema: 1080;\n  SQLite version: 3.42.0;\n  SQLCipher version: 4.5.5 community;\n  (deprecated) schema_version: 471;\n"}
{"level":30,"time":"2024-07-12T13:29:14.226Z","msg":"got fast theme-setting value system"}
{"level":30,"time":"2024-07-12T13:29:14.227Z","msg":"got fast spellcheck setting true"}
{"level":30,"time":"2024-07-12T13:29:14.228Z","msg":"Initializing BrowserWindow config: {\"show\":false,\"width\":1920,\"height\":1011,\"minWidth\":300,\"minHeight\":200,\"autoHideMenuBar\":false,\"titleBarStyle\":\"default\",\"backgroundColor\":\"#121212\",\"webPreferences\":{\"devTools\":false,\"spellcheck\":true,\"enableBlinkFeatures\":\"CSSPseudoDir,CSSLogical\",\"enablePreferredSizeMode\":true,\"nodeIntegration\":false,\"nodeIntegrationInWorker\":false,\"sandbox\":false,\"contextIsolation\":true,\"preload\":\"[REDACTED]/preload.bundle.js\",\"backgroundThrottling\":true,\"disableBlinkFeatures\":\"Accelerated2dCanvas,AcceleratedSmallCanvases\"},\"icon\":\"[REDACTED]/images/signal-logo-desktop-linux.png\",\"x\":0,\"y\":69}"}
{"level":30,"time":"2024-07-12T13:29:14.368Z","msg":"spellcheck: user locales: [\"en-US\",\"en\"]"}
{"level":30,"time":"2024-07-12T13:29:14.368Z","msg":"spellcheck: available spellchecker languages: [\"af\",\"bg\",\"ca\",\"cs\",\"cy\",\"da\",\"de\",\"de-DE\",\"el\",\"en\",\"en-AU\",\"en-CA\",\"en-GB\",\"en-GB-oxendict\",\"en-US\",\"es\",\"es-419\",\"es-AR\",\"es-ES\",\"es-MX\",\"es-US\",\"et\",\"fa\",\"fo\",\"fr\",\"fr-FR\",\"he\",\"hi\",\"hr\",\"hu\",\"hy\",\"id\",\"it\",\"it-IT\",\"ko\",\"lt\",\"lv\",\"nb\",\"nl\",\"pl\",\"pt\",\"pt-BR\",\"pt-PT\",\"ro\",\"ru\",\"sh\",\"sk\",\"sl\",\"sq\",\"sr\",\"sv\",\"ta\",\"tg\",\"tr\",\"uk\",\"vi\"]"}
{"level":30,"time":"2024-07-12T13:29:14.368Z","msg":"spellcheck: setting languages to: [\"en-US\",\"en\"]"}
{"level":30,"time":"2024-07-12T13:29:14.951Z","msg":"got fast theme-setting value system"}
{"level":30,"time":"2024-07-12T13:29:15.766Z","msg":"got fast spellcheck setting true"}
{"level":30,"time":"2024-07-12T13:29:15.777Z","msg":"System tray service: created"}
{"level":30,"time":"2024-07-12T13:29:15.777Z","msg":"System tray service: updating main window. Previously, there was not a window, and now there is"}
{"level":30,"time":"2024-07-12T13:29:15.777Z","msg":"System tray service: rendering no tray"}
{"level":30,"time":"2024-07-12T13:29:15.778Z","msg":"Begin ensuring permissions"}
{"level":30,"time":"2024-07-12T13:29:15.778Z","msg":"main window is ready-to-show"}
{"level":30,"time":"2024-07-12T13:29:15.779Z","msg":"showing main window"}
{"level":30,"time":"2024-07-12T13:29:15.780Z","msg":"System tray service: rendering no tray"}
{"level":30,"time":"2024-07-12T13:29:15.787Z","msg":"Ensuring file permissions for 4 files"}
{"level":30,"time":"2024-07-12T13:29:15.789Z","msg":"Finish ensuring permissions in 11ms"}
{"level":30,"time":"2024-07-12T13:29:16.177Z","msg":"Prevent display sleep service: allowing display sleep"}
{"level":30,"time":"2024-07-12T13:29:16.178Z","msg":"Background throttling enabled because no call is active"}
{"level":30,"time":"2024-07-12T13:29:16.789Z","msg":"updater/start: Updates disabled - not starting new version checks"}
{"level":30,"time":"2024-07-12T13:29:16.790Z","msg":"System tray service: setting unread count to 10"}
{"level":30,"time":"2024-07-12T13:29:16.791Z","msg":"System tray service: rendering no tray"}
{"level":30,"time":"2024-07-12T13:29:16.798Z","msg":"App loaded - time: 2588"}
{"level":30,"time":"2024-07-12T13:29:16.799Z","msg":"SQL init - time: 119"}
{"level":30,"time":"2024-07-12T13:29:16.799Z","msg":"Preload - time: 795"}
{"level":30,"time":"2024-07-12T13:29:16.799Z","msg":"WebSocket connect - time: 530"}
{"level":30,"time":"2024-07-12T13:29:16.800Z","msg":"Processed count: 21"}
{"level":30,"time":"2024-07-12T13:29:16.800Z","msg":"Messages per second: 16.6270783847981"}
{"level":30,"time":"2024-07-12T13:29:18.135Z","msg":"System tray service: setting unread count to 3"}
{"level":30,"time":"2024-07-12T13:29:18.136Z","msg":"System tray service: rendering no tray"}
lengau commented 1 month ago

Thanks for the report! This sounds to me like the desktop file that's generating the signal icon is coming from a Windows version of Signal installed under wine. Can you check the shortcut in your menu and see what command it's running and what .desktop file it's using?

jnsgruk commented 2 weeks ago

Indeed - here it seems like the actual app is working correctly, and it's the desktop file that's launching something different. Closing for now as there is no further information - I can reopen if needed.