steam-runtime icon indicating copy to clipboard operation
steam-runtime copied to clipboard
verified publisher icon ValveSoftware

SELinux preventing some game from starting, openSUSE Tumbleweed

Open mack-w opened this issue 3 years ago • 6 comments

System

I have Steam client (runtime package version 1647446817) running on openSUSE Tumbleweed with kernel version 5.17.1-1-default (distro kernel) and boot parameters spectre_v2=retpoline security=selinux mitigations=auto. All my titles defaults to run via Proton Experimental (7.0-100).

Problem

I've got multiple games failing to start under SELinux "Enforcing" mode, including, but not limited to:

  • CLANNAD
  • ELDEN RING
  • Rise of the Tomb Raider
  • Sid Meier's Civilization VI
  • The Witcher 3: Wild Hunt

Autorelabeling files didn't work; I also had my game file integrity checked, so filesystem should be OK.

Replicating

Environment: openSUSE Tumbleweed, drop "AppArmor" instead of "SELinux" at installation. Set SELinux default policy to "Enforcing". How-to: Install some games in Steam, launch them via Proton Observed: After clicking on the "PLAY" button, no game window is displayed. The button automatically falls back to "PLAY" after a few seconds. Expected: Game running.

Others

  1. SELinux audit logs for ELDEN RING:
type=USER_AVC msg=audit(1649751855.708:189): pid=644 uid=469 auid=4294967295 ses=4294967295 subj=system_u:system_r:nscd_t:s0 msg='avc:  op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/sbin/nscd" sauid=469 hostname=? addr=? terminal=?'
type=AVC msg=audit(1649751856.408:190): avc:  denied  { nnp_transition nosuid_transition } for  pid=4213 comm="pressure-vessel" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023 tclass=process2 permissive=0
type=SELINUX_ERR msg=audit(1649751856.408:191): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023
type=AVC msg=audit(1649751861.921:192): avc:  denied  { execmod } for  pid=4303 comm="iscriptevaluato" path=2F686F6D652F6D61636B2F2E6C6F63616C2F73686172652F537465616D2F737465616D617070732F636F6D6D6F6E2F50726F746F6E202D204578706572696D656E74616C2F66696C65732F6C69622F77696E652F693338362D77696E646F77732F636F6D626173652E646C6C dev="nvme0n1p4" ino=17273695 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1649751869.897:193): avc:  denied  { nnp_transition nosuid_transition } for  pid=4441 comm="pressure-vessel" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023 tclass=process2 permissive=0
type=SELINUX_ERR msg=audit(1649751869.897:194): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023
type=AVC msg=audit(1649751875.670:195): avc:  denied  { execmod } for  pid=4603 comm="start_protected" path=2F686F6D652F6D61636B2F2E6C6F63616C2F73686172652F537465616D2F737465616D617070732F636F6D6D6F6E2F50726F746F6E202D204578706572696D656E74616C2F66696C65732F6C69622F77696E652F693338362D77696E646F77732F636F6D626173652E646C6C dev="nvme0n1p4" ino=17273695 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=file permissive=0   
type=AVC msg=audit(1649751875.674:196): avc:  denied  { execmod } for  pid=4603 comm="start_protected" path=2F686F6D652F6D61636B2F2E6C6F63616C2F73686172652F537465616D2F737465616D617070732F636F6D6D6F6E2F50726F746F6E202D204578706572696D656E74616C2F66696C65732F6C69622F77696E652F693338362D77696E646F77732F77696E6D6D2E646C6C dev="nvme0n1p4" ino=17282330 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=file permissive=0
  1. Console output for ELDEN RING:
GameAction [AppID 1245620, ActionID 1] : LaunchApp changed task to ProcessingInstallScript with ""
fsync: up and running.
wine: RLIMIT_NICE is <= 20, unable to use setpriority safely
GameAction [AppID 1245620, ActionID 1] : LaunchApp changed task to SynchronizingCloud with ""
GameAction [AppID 1245620, ActionID 1] : LaunchApp changed task to SiteLicenseSeatCheckout with ""
GameAction [AppID 1245620, ActionID 1] : LaunchApp changed task to CreatingProcess with ""
GameAction [AppID 1245620, ActionID 1] : LaunchApp waiting for user response to CreatingProcess ""
GameAction [AppID 1245620, ActionID 1] : LaunchApp continues with user response "CreatingProcess"
/bin/sh\0-c\0/home/someuser/.local/share/Steam/ubuntu12_32/reaper SteamLaunch AppId=1245620 -- '/home/someuser/.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier'/_v2-entry-point --verb=waitforexitandrun -- '/home/someuser/.local/share/Steam/steamapps/common/Proton - Experimental'/proton waitforexitandrun  '/home/someuser/.local/share/Steam/steamapps/common/ELDEN RING/Game/start_protected_game.exe'\0
Game process added : AppID 1245620 "/home/someuser/.local/share/Steam/ubuntu12_32/reaper SteamLaunch AppId=1245620 -- '/home/someuser/.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier'/_v2-entry-point --verb=waitforexitandrun -- '/home/someuser/.local/share/Steam/steamapps/common/Proton - Experimental'/proton waitforexitandrun  '/home/someuser/.local/share/Steam/steamapps/common/ELDEN RING/Game/start_protected_game.exe'", ProcID 9587, IP 0.0.0.0:0
chdir /home/someuser/.local/share/Steam/steamapps/common/ELDEN RING/Game
ERROR: ld.so: object '/home/someuser/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored.
GameAction [AppID 1245620, ActionID 1] : LaunchApp changed task to WaitingGameWindow with ""
GameAction [AppID 1245620, ActionID 1] : LaunchApp changed task to Completed with ""
ERROR: ld.so: object '/home/someuser/.local/share/Steam/ubuntu12_64/gameoverlayrenderer.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS64): ignored.
ERROR: ld.so: object '/home/someuser/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored.
ERROR: ld.so: object '/home/someuser/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored.
ERROR: ld.so: object '/home/someuser/.local/share/Steam/ubuntu12_32/gameoverlayrenderer.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored.
pid 9598 != 9595, skipping destruction (fork without exec?)
fsync: up and running.
wine: RLIMIT_NICE is <= 20, unable to use setpriority safely
ThreadGetProcessExitCode: no such process 9753
ThreadGetProcessExitCode: no such process 9751
ThreadGetProcessExitCode: no such process 9744
ThreadGetProcessExitCode: no such process 9743
ThreadGetProcessExitCode: no such process 9596
Game process updated : AppID 1245620 "/home/someuser/.local/share/Steam/ubuntu12_32/reaper SteamLaunch AppId=1245620 -- '/home/someuser/.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier'/_v2-entry-point --verb=waitforexitandrun -- '/home/someuser/.local/share/Steam/steamapps/common/Proton - Experimental'/proton waitforexitandrun  '/home/someuser/.local/share/Steam/steamapps/common/ELDEN RING/Game/start_protected_game.exe'", ProcID 9752, IP 0.0.0.0:0
Setting breakpad minidump AppID = 1245620
Steam_SetMinidumpSteamID:  Caching Steam ID:  76561199073337298 [API loaded no]
ThreadGetProcessExitCode: no such process 9762
ThreadGetProcessExitCode: no such process 9887
ThreadGetProcessExitCode: no such process 9864
ThreadGetProcessExitCode: no such process 9837
ThreadGetProcessExitCode: no such process 9828
ThreadGetProcessExitCode: no such process 9819
ThreadGetProcessExitCode: no such process 9770
ThreadGetProcessExitCode: no such process 9767
ThreadGetProcessExitCode: no such process 9739
pid 9754 != 9753, skipping destruction (fork without exec?)
Game process removed: AppID 1245620 "/home/someuser/.local/share/Steam/ubuntu12_32/reaper SteamLaunch AppId=1245620 -- '/home/someuser/.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier'/_v2-entry-point --verb=waitforexitandrun -- '/home/someuser/.local/share/Steam/steamapps/common/Proton - Experimental'/proton waitforexitandrun  '/home/someuser/.local/share/Steam/steamapps/common/ELDEN RING/Game/start_protected_game.exe'", ProcID 9752 
ThreadGetProcessExitCode: no such process 9785
ThreadGetProcessExitCode: no such process 9752
ThreadGetProcessExitCode: no such process 9595
Game 1245620 created interface STEAMAPPLIST_INTERFACE_VERSION001 / AppList
Game 1245620 created interface STEAMAPPS_INTERFACE_VERSION008 / Apps
Game 1245620 created interface STEAMHTMLSURFACE_INTERFACE_VERSION_004 / HTMLSurface
Game 1245620 created interface STEAMHTTP_INTERFACE_VERSION002 / HTTP
Game 1245620 created interface STEAMINVENTORY_INTERFACE_V002 / Inventory
Game 1245620 created interface STEAMMUSICREMOTE_INTERFACE_VERSION001 / MusicRemote
Game 1245620 created interface STEAMMUSIC_INTERFACE_VERSION001 / Music
Game 1245620 created interface STEAMPARENTALSETTINGS_INTERFACE_VERSION001 / ParentalSettings
Game 1245620 created interface STEAMREMOTESTORAGE_INTERFACE_VERSION014 / RemoteStorage
Game 1245620 created interface STEAMSCREENSHOTS_INTERFACE_VERSION003 / Screenshots
Game 1245620 created interface STEAMUGC_INTERFACE_VERSION010 / UGC
Game 1245620 created interface STEAMUSERSTATS_INTERFACE_VERSION011 / UserStats
Game 1245620 created interface STEAMVIDEO_INTERFACE_V002 / Video
Game 1245620 created interface SteamController006 / Controller
Game 1245620 created interface SteamFriends015 / Friends
Game 1245620 created interface SteamMatchMaking009 / Matchmaking
Game 1245620 created interface SteamMatchMakingServers002 / MatchmakingServers
Game 1245620 created interface SteamNetworking005 / Networking
Game 1245620 created interface SteamUser019 / User
Game 1245620 created interface SteamUtils009 / Utils
Game 1245620 method call count for IClientAppManager::GetAppInstallDir : 1
Game 1245620 method call count for IClientAppManager::GetAppInstallState : 2
Game 1245620 method call count for IClientUtils::RecordSteamInterfaceCreation : 22
Game 1245620 method call count for IClientUtils::GetSteamUILanguage : 1
Game 1245620 method call count for IClientUtils::GetAppID : 24
Game 1245620 method call count for IClientUser::GetSteamID : 1
Uploaded AppInterfaceStats to Steam

Please do note that audit logs and console output are collected from two seperate test cases.

mack-w avatar Apr 12 '22 09:04 mack-w

Are all games broken in Proton 7.0/Experimental, or are some working?

Your SELinux log looks like it's denying some stuff that Steam's pressure-vessel runtime container is trying to do. Maybe you can look into how to make SELinux interact well with it? Maybe grant its binary permissions, similar to whatever is given to Docker, or something?

Just some ideas, I'm not an expert on any of this.

aeikum avatar Apr 12 '22 13:04 aeikum

drop "AppArmor" instead of "SELinux" at installation. Set SELinux default policy to "Enforcing"

Is this a transition that openSUSE is doing as a distribution-wide thing, or is it your own local configuration?

I don't know how SELinux works, but this should be a reasonably straightforward fix for someone who does. However, it would likely have to be a change in your system-wide SELinux policy, not a change in anything shipped by Valve.

pressure-vessel, running as an ordinary unprivileged user, needs to be able to run the system ldconfig as the same ordinary unprivileged user, with the same (lack of) privileges. It does not need to write to system files like /etc/ld.so.cache, only to a local file, similar to what would happen if you did this:

$ ldconfig -C ~/my-personal-ld.so.cache -X -v

In AppArmor, I'd spell that as /{usr/,}sbin/ldconfig rmix (allow read, mmap, and on execute inherit the current security context), but I don't know what the SELinux equivalent is.

smcv avatar Apr 12 '22 14:04 smcv

Hello @Mack-W, starting with Proton 5.13, Proton is run inside the Steam Linux Runtime - Soldier container environment, and pressure-vessel is what sets up that container. I'm also not very familiar with selinux, but my expectation is that there's some policy which needs to be given to allow pressure vessel's utilities to have similar permission as Flatpak. The first time install steps mentioned in https://github.com/ValveSoftware/steam-for-linux/issues/8534 are run with Proton, and have the same requirements as here.

kisak-valve avatar Apr 12 '22 14:04 kisak-valve

I notice this issue on openSUSE MicroOS (kde) where SELinux is by default, it took a while to understand why only some my game didn't work anymore, until I found this : https://en.opensuse.org/Portal:MicroOS/Desktop#Steam_Proton,_Bottles,_WINE,_Lutris,_Android_Studio_emulator_not_working_from_flatpaks

the games that affected me were mainly mmorpg's like : FF XIV (39210), SWTOR (1286830), Guild Wars 2 (1284210) and non mmo's like Total War: WARHAMMER -series

Here is the SUSE bug report of this issue https://bugzilla.opensuse.org/show_bug.cgi?id=1206292

ahjolinna avatar Apr 24 '23 14:04 ahjolinna