TF2: Failed to create decoder for MP3 [ path/to/file.mp3 ] on Fedora 24.

[HarleyGaniere]

• Steam client version: 1468023329
• Distribution: Fedora 24
• Opted into Steam client beta?: No
• Have you checked for system updates?: Yes

Here's a copy from what is being displayed in the console.

[TF Workshop] Got 0 subscribed maps, 0 new
maxplayers set to 24
Error: Material "debug/debugluxels" uses unknown shader "DebugLuxels"
Error: Material "___fillrate_0" uses unknown shader "FillRate"
Error: Material "___debugnormalmap_1" uses unknown shader "DebugNormalMap"
Error: Material "___debugdrawenvmapmask_2" uses unknown shader "DebugDrawEnvmapMask"
Error: Material "___debugdepth_3" uses unknown shader "DebugDepth"
Error: Material "___debugdepth_4" uses unknown shader "DebugDepth"
Steam config directory: /storage-1/user/SteamLibrary/steamapps/common/Team Fortress 2/platform/config
CClientSteamContext logged on = 1
Cleaning up unneeded replay block data...
Replay cleanup done.
Loading default settings for high sensitivity
Connection to game coordinator established.
CTFGCClientSystem::PostInitGC
CTFGCClientSystem - adding listener
Hiding LobbyContainerFrameHiding LobbyContainerFrameHiding LobbyContainerFrame
Can't use cheat cvar fog_start in multiplayer, unless the server has sv_cheats set to 1.
Can't use cheat cvar fog_end in multiplayer, unless the server has sv_cheats set to 1.
Can't use cheat cvar fog_startskybox in multiplayer, unless the server has sv_cheats set to 1.
Can't use cheat cvar fog_endskybox in multiplayer, unless the server has sv_cheats set to 1.
Can't use cheat cvar r_farz in multiplayer, unless the server has sv_cheats set to 1.
Applying new item schema, version 9B123B70
WARNING Item schema mismatch after update!
GC told us to expect 9B123B70, we got 8B53863F
Applied updated item schema from GC. 3347980 bytes, version 9B123B70.
m_face->glyph->bitmap.width is 0 for ch:32 TF2 Build
m_face->glyph->bitmap.width is 0 for ch:32 TF2
m_face->glyph->bitmap.width is 0 for ch:32 DejaVu Sans
Failed to create decoder for MP3 [ ui/gamestartup23.mp3 ]

I am running vanilla Fedora 24 with Steam freshly installed. There are no character voices, ambient sound, or music while playing TF2.

[gdrewb-valve]

Possible Steam runtime incompatibility issue.

[Tele42]

Looks like a continuation of ValveSoftware/steam-for-linux#43 to me. LibMiles has a hard time with selinux.

[HarleyGaniere]

@Tele42 Now that you mention it, I have opened SELinux Alert Browser and was greeted with this.

SELinuxhas detected a problem.
The source process: hl2_linux
Attempted this access: execheap

SELinux is preventing hl2_linux from using the execheap access on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think hl2_linux should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

  Plugin catchall_boolean (42.6 confidence) suggests   

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.
You can read 'None' man page for more details.
Do
setsebool -P selinuxuser_execheap 1

 Plugin catchall (5.76 confidence) suggests   

If you believe that hl2_linux should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux
 semodule -X 300 -i my-hl2linux.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ process ]
Source                        hl2_linux
Source Path                   hl2_linux
Port                          <Unknown>
Host                          aurora-242
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.5.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     aurora-242
Platform                      Linux aurora-242 4.7.0-0.rc7.git4.2.fc25.x86_64 #1
                              SMP Tue Jul 19 15:56:43 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-07-28 08:57:38 EDT
Last Seen                     2016-07-28 09:28:37 EDT
Local ID                      1693be0f-7692-47af-8f54-0e59a9d0b0ba

Raw Audit Messages
type=AVC msg=audit(1469712517.246:1943): avc:  denied  { execheap } for  pid=19480 
comm="hl2_linux" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: hl2_linux,unconfined_t,unconfined_t,process,execheap`

[cob16]

Still exists as of 08/14/2017 on Fadora 26. Current workaround in ValveSoftware/steam-for-linux#43

[h1z1]

Still exists as of 10/10/2017.

[eiglow]

Using the Steam Linux Runtime, the issue still appears.

[ohhai]

I also have SELinux errors about execheap access of hl2_linux process:

type=AVC msg=audit(1619827374.239:701): avc:  denied  { execheap } for  pid=33541 comm="hl2_linux" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1

[Spowmtom]

My AVC denial code is:
type=AVC msg=audit(1626208128.915:2728): avc: denied { execheap } for pid=851460 comm="hl2_linux" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

When I pass it through Sealert, I get this:

SELinux is preventing hl2_linux from using the execheap access on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think hl2_linux should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that hl2_linux should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux
# semodule -X 300 -i my-hl2linux.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ process ]
Source                        hl2_linux
Source Path                   hl2_linux
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.13-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.13-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 5.12.14-300.fc34.x86_64 #1 SMP Wed
                              Jun 30 18:30:21 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-07-13 16:28:48 EDT
Last Seen                     2021-07-13 16:35:48 EDT
Local ID                      2ad82736-edf4-4410-8710-505061c1aa93

Raw Audit Messages
type=AVC msg=audit(1626208548.811:2753): avc:  denied  { execheap } for  pid=851963 comm="hl2_linux" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: hl2_linux,unconfined_t,unconfined_t,process,execheap

So I did what it suggested, ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux and then semodule -i my-hl2linux.pp and it works! Team Fortress 2 can play music and voice lines without totally disabling SELinux.

[GuilleDF]

Not sure if it's related to this, but I had a similar issue and I resolved it by deleting all of the .cache files in the TF2 folder

[EntityinArray]

I had this issue when playing TF2 on Linux.
Turns out this problem was caused by SELinux. I managed to fix it by allowing execheap permission with this command:
sudo setsebool -P selinuxuser_execheap 1
Looks like TF2 executes code from the heap in order to play MP3 files, which is insecure and gets blocked by SELinux.

[aaalloc]

I had this issue when playing TF2 on Linux. Turns out this problem was caused by SELinux. I managed to fix it by allowing execheap permission with this command: sudo setsebool -P selinuxuser_execheap 1 Looks like TF2 executes code from the heap in order to play MP3 files, which is insecure and gets blocked by SELinux.

this worked for me.

[egirlcatnip]

THANK YOU @EntityinArray

[gridlocdev]

Fedora Linux Workaround

If you are using Fedora or a Fedora-based Linux distribution, chances are that this issue is from SELinux (Security Enhanced Linux), which is a beneficial bonus layer of security for your computer.

From what I've gathered so far, the Miles Sound System that is used by Source engine games (including TF2) has an unpatched ACE vulnerability which allows it to both write and execute data in memory on the heap. In Fedora's case SELinux blocks this (because it should), which prevents audio files from loading.

Previous answers suggest using setsebool -P selinux_execheap 1, but please be aware that this is a bad idea because this would allow any program that uses execheap to run arbitrary code on your computer, not just TF2. To undo this, just set the boolean back to default with setsebool -P selinux_execheap 0.

Instead, I suggest you use the following workaround instead like @Spowmtom and I did, which only whitelists this behavior for games that run on the Source engine, such as TF2.

ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux

semodule -i my-hl2linux.pp

Explanation

Here is a brief explanation of what the above snippet does:

1. Loads the logs for hl2_linux where it says execheap was denied, and uses those to create a policy file
2. Loads the policy module into SELinux to allow unconfined access to execheap for TF2

Here is an expanded description of each command:

• ausearch -c 'hl2_linux' --raw: Displays the unformatted information for 'hl2_linux' in the system audit daemon logs
• audit2allow -M my-hl2linux: From the above denied system operations that were piped in, generates a loadable policy module file (.pp) named 'my-hl2linux' in the current directory
• semodule -i my-hl2linux.pp: Installs the SELinux policy module file named 'my-hl2-linux.pp'

Undo-ing this rule

If you want to roll back and remove the security exception this has added for TF2, you can run the following command:

• semodule -r my-hl2linux: Removes the module from the SELinux policy rules

[starkle]

If you don't want to tamper with SELinux, forcing the game to use Proton may work around the issue as well. I was able get Portal working this way, at least.

• Right click game > Properties > Compatibility > Force the use of a specific Steam Play compatibility tool

You may need to set this before downloading / installing the game. Hopefully this gets fixed soon so users aren't misled into compromising SELinux.

[GuilleDF]

IIRC TF2 doesn't let you connect to any server when run through proton, unfortunately 😞

[KyleGospo]

If you are using Fedora or a Fedora-based Linux distribution, chances are that this issue is from SELinux (Security Enhanced Linux), which is a beneficial bonus layer of security for your computer.

Thank you for this, I went ahead and created a Copr repo that provides this same change as an RPM package if anyone would rather go that route. Naturally if this issue is ever resolved I'll push an update that removes the SELinux rule and eventually delete the repository.

You can grab that here if you're interested.

[HarleyGaniere]

If you are using Fedora or a Fedora-based Linux distribution, chances are that this issue is from SELinux (Security Enhanced Linux), which is a beneficial bonus layer of security for your computer.

Thank you for this, I went ahead and created a Copr repo that provides this same change as an RPM package if anyone would rather go that route. Naturally if this issue is ever resolved I'll push an update that removes the SELinux rule and eventually delete the repository.

You can grab that here if you're interested.

Wonderfully done, this is the best workaround I've seen yet.

If anyone sees this post in the future, use the COPR repo @KyleGospo provided as it is the easiest and most desirable method of patching the issue until something upstream happens. The only other known method is to allow excheap to run through SELinux manually as discussed further above. If one chooses to make the changes manually, the ideal method was beautifully explained by @gridlocdev.

The COPR repo is an easy method to manage and can be reverted easily if desired. The COPR repo should be especially useful for those on immutable (Silverblue) Fedora installations as when changed manually the SELinux policy reverts during upgrades, at least it did in my experience migrating from Fedora Silverblue 36 to 37.

[ashquarky]

Hi @KyleGospo, thanks for the repo! unfortunately it didn't seem to work for me (F37 Workstation), even after a reboot, however running the commands manually in a terminal worked immediately. Is there some additional install or enable step beyond just installing the hl2linux-selinux package?

[KyleGospo]

Hi @KyleGospo, thanks for the repo! unfortunately it didn't seem to work for me (F37 Workstation), even after a reboot, however running the commands manually in a terminal worked immediately. Is there some additional install or enable step beyond just installing the hl2linux-selinux package?

It should work exactly as you described, are you using Flatpak Steam?

[jolty1]

Is anyone able to try the new x64_linux_test beta branch for TF2 ? Some libraries like SDL have been updated. SELinux workarounds may not be required now.

I am currently not on Fedora to try myself.

[misyltoad]

This is fixed in the x64_linux_test branch as Miles is no longer used for MP3 playback.

[HarleyGaniere]

Howdy,

As @Joshua-Ashton stated:

This is fixed in the x64_linux_test branch as Miles is no longer used for MP3 playback.

Currently, there is a 64-bit beta for Team Fortress 2, accessible in Properties -> Betas -> x64_test, which addresses the missing audio issue not only in Fedora but also in Fedora Silverblue (Flatpak), as well as in all SELinux-based distros I've tested. Multiplayer is not yet available in the 64-bit beta, so please be patient until a full release is issued.

I am finally closing this issue (nearly 8 years after my initial report, WOO!!!) as there is now an official fix implemented. 😃 🎉

In the meantime, until the 64-bit beta becomes stable, if anyone is looking to play the 32-bit version as it is currently, to fix follow @KyleGospo's COPR repo

Mutable/Workstation
sudo dnf copr enable kylegospo/hl2linux-selinux
sudo dnf install hl2linux-selinux

Immutable/Silverblue
sudo wget https://copr.fedorainfracloud.org/coprs/kylegospo/hl2linux-selinux/repo/fedora-$(rpm -E %fedora)/kylegospo-hl2linux-selinux-fedora-$(rpm -E %fedora).repo -O /etc/yum.repos.d/_copr_kylegospo-hl2linux-selinux.repo
rpm-ostree install hl2linux-selinux

or manually implement as explained by @Spowmtom and @gridlocdev
ausearch -c 'hl2_linux' --raw | audit2allow -M my-hl2linux
semodule -i my-hl2linux.pp