newsbeuter doesn´t trigger browser when pressing "o" when using firejail

[Rosika2]

Hello everybody,

I´ve got a problem when running newsbeuter (RSS feed reader for the text console) in firejail.

My system is: BodhiLinux 5.1.0, 32bit (VM).

The command firejail newsbeuter itself works perfectly. The problem is that I cannot open a browser to read the feed contents.
The interactive key-stroke "o" should provide for that. But pressing "o" yields nothing.

Yet all works well when running newsbeuter normally (i.e. not within the sandbox).

Example:

env BROWSER=lynx newsbeuter works fine and lynx opes up within the terminal.

env BROWSER=lynx firejail newsbeuter runs newsbeuter alright but doesn´t trigger the browser.

Surely there´s something that could be modified within the "newsbeuter.profile". But I´m stuck here.
Currently it looks like this:

# Firejail profile for Newsboat
# Description: Text based Atom/RSS feed reader
# This file is overwritten after every install/update
# Persistent local customizations
include newsbeuter.local
# Persistent global definitions
# added by included profile
#include globals.local

noblacklist ${HOME}/.config/newsbeuter
noblacklist ${HOME}/.newsbeuter

mkdir ${HOME}/.config/newsbeuter
mkdir ${HOME}/.newsbeuter
whitelist ${HOME}/.config/newsbeuter
whitelist ${HOME}/.newsbeuter

private-bin newsbeuter

# Redirect
include newsboat.profile
include lynx.profile  # I added this one but to no avail

Any help is much appreciated.
Thanks a lot in advance.

Greetings.
Rosika

[rusty-snake]

Can you try setting the BROWSER variable with firejail like this firejail --env=BROWSER=lynx newsbeuter.

[Rosika2]

@rusty-snake:
Hello. Nice to hear from you again and thanks for your reply.

Alas firejail --env=BROWSER=lynx newsbeuter doesn´t work either.
Hitting "o" has no effect a all.
Surely it has got to do something with the profile as running newsbeuter/lynx outside the sandbox works.
Greetings.
Rosika

[Rosika2]

additional info:

What strikes me as odd is the fact that using the default.profile results in even stranger behaviour:

firejail --profile=/etc/firejail/default.profile newsbeuter
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 20733, child pid 20734
Warning: cleaning all supplementary groups
Child process initialized in 76.29 ms
XDG: Konfigurationsverzeichnis '/home/rosika/.config/newsbeuter' nicht zugänglich, benutze stattdessen '/home/rosika/.newsbeuter'.
Starte newsbeuter 2.9...
Fehler: Eine Instanz von newsbeuter läuft bereits (PID: 0)

Parent is shutting down, bye...

It basically says that an instance of newsbeuter is already running ((PID: 0) - which simply isn´t true!
Thus: shutdown.

[rusty-snake]

1. The default profile includes disable-programs.inc which blacklists ~/.config/newsbeuter.
2. I missed the obvious private-bin. There is no lnyx in the sandbox, try firejail --private-bin=lynx newsbeuter. I should realy write some diff tools for firejail profiles.

[Rosika2]

Hi,
firejail --private-bin=lynx newsbeuter didn´t work either.
Neither did firejail --env=BROWSER=lynx --private-bin=lynx newsbeuter.
The problem remains. Sorry.

[rusty-snake]

Ok then lets ignore any differences between the newsbeuter/newsboat profile and the lynx profile: --ignore=disable-mnt --ignore=private-bin --ignore=private-etc --ignore=memory-deny-write-execute --ignore=protocol --ignore=tracelog --ignore=nosound --ignore=nodbus --ignore=ipc-namespace --noblacklist=/tmp/.X11-unix '--noblacklist=${RUNUSER}/wayland-*' + comment every whitelist ${HOME}/… and include whitelist-common.inc.

most likely it is one of the following: private-bin, mdwe, protocol (missing unix), whtelist ${HOME}, nodbus, ipc-namespace

[Rosika2]

@rusty-snake:
Hello again and thank you so much for your help.
I finally got everything running.
First of all I tried the lengthy command
env BROWSER=lynx firejail --ignore=disable-mnt --ignore=private-bin --ignore=private-etc --ignore=memory-deny-write-execute --ignore=protocol --ignore=tracelog --ignore=nosound --ignore=nodbus --ignore=ipc-namespace --noblacklist=/tmp/.X11-unix '--noblacklist=${RUNUSER}/wayland-*'
which was successful already. Typing "o" opened up lynx alright.
Then I took away one option after another to see which one works/doesn´t work.
It turns out that I need this one:
env BROWSER=lynx firejail --ignore=private-bin --ignore=private-etc newsbeuter

So what do you think, how should I modify the newsbeuter.profile?
Is it O.K. to add

ignore=private-bin
ignore=private-etc

in the profile?
And what about the private-bin newsbeuter-entry? May that remain in the file?

Thanks again for your help.
Greetings.
Rosika

[Minoru]

Hi, former Newsbeuter and current Newsboat maintainer here. Both programs use system(3) to execute the browser, which in turn uses /bin/sh. So I wonder if firejail --private-bin=sh,lynx newsbeuter would work. @Rosika2, can you try that? (Don't know much about Firejail, so just a shot in the dark)

[Rosika2]

@Minoru:
Hi Alexander and thanks for your suggestion.
I tried the command you provided but sadly it didn´t `work:

firejail --private-bin=sh,lynx newsbeuter
Reading profile /home/rosika/.config/firejail/newsbeuter.profile
Reading profile /etc/firejail/newsboat.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 8425, child pid 8426
Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode
Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode
Warning: skipping crypto-policies for private /etc
Private /etc installed in 20.46 ms
4 programs installed in 9.51 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 121.89 ms
XDG: Datenverzeichnis '/home/rosika/.local/share/newsbeuter' nicht zugänglich, benutze stattdessen '/home/rosika/.newsbeuter'.
Starte newsbeuter 2.9...
Lade Konfiguration...Fertig.
Öffne Zwischenspeicher...Fertig.
Lade URLs von /home/rosika/.newsbeuter/urls...Fertig.
Lade Artikel aus dem Zwischenspeicher...Fertig.

Konfigurationsdatei /etc/lynx/lynx.cfg ist nicht zugänglich.   # config-file not available


Konfigurationsdatei /etc/lynx/lynx.cfg ist nicht zugänglich.


Konfigurationsdatei /etc/lynx/lynx.cfg ist nicht zugänglich.


Konfigurationsdatei /etc/lynx/lynx.cfg ist nicht zugänglich.


Konfigurationsdatei /etc/lynx/lynx.cfg ist nicht zugänglich.


Konfigurationsdatei /etc/lynx/lynx.cfg ist nicht zugänglich.

Bereinige Zwischenspeicher...Fertig.

So until now the command env BROWSER=lynx firejail --ignore=private-bin --ignore=private-etc newsbeuter remains the only one to work.
But thanks a lot for your input.
Greetings.
Rosika

[rusty-snake]

If firejail --private-bin=sh,lynx --ignore=private-etc newsbeuter works, can you try firejail --private-bin=sh,lynx --private-etc=lynx newsbeuter

[Rosika2]

@rusty-snake:
Hi and thanks again.
I tried the two commands - with different results:
firejail --private-bin=sh,lynx --ignore=private-etc newsbeuter doesn´t work . The same results as before: newsbeuter is alright but lynx won´t open up.

firejail --private-bin=sh,lynx --private-etc=lynx newsbeuter however works just fine. Newsbeuter and lynx run perfectly.
So that´s the command I´m going for.
Thank you so much for your help.
Greetings.
Rosika

[Rosika2]

Hello again,

as everything works fine now an additional question came up:

I´d very much like to use w3m instead of lynx as a browser.
So I thought I could switch over to w3m by using this command:
firejail --private-bin=sh,w3m --private-etc=w3m newsbeuter

Alas this won´t work . Pressing "o" won´t trigger any browser at all.
Any ideas how I could get w3m to work as a browser within newsbeuter (in firejail of course)?

Thanks a lot in advance.

Greetings.
Rosika

[rusty-snake]

No hints even in the syslog?

Based on the w3m profile, you can try adding this to your newsbeute.local. If it works you can harden it.

noblacklist ${HOME}/.w3m
include allow-perl.inc
ignore private-bin
ignore memory-deny-write-execute

[Rosika2]

@rusty-snake:
Hi again and thanks for your help.

No hints even in the syslog?
It seems not. tail -f /var/log/syslog doesn´t show any newsbeuter- or w3m-related entries.

Based on the w3m profile, you can try adding this to your newsbeute.local
Funny thing: I don´t seem to have a newsbeuter.local-file despite the fact that the newsbeuter.profile refers to it. This is the newsbeuter.profile:

# Firejail profile for Newsboat
# Description: Text based Atom/RSS feed reader
# This file is overwritten after every install/update
# Persistent local customizations
include newsbeuter.local
# Persistent global definitions
# added by included profile
#include globals.local

noblacklist ${HOME}/.config/newsbeuter
noblacklist ${HOME}/.newsbeuter

mkdir ${HOME}/.config/newsbeuter
mkdir ${HOME}/.newsbeuter
whitelist ${HOME}/.config/newsbeuter
whitelist ${HOME}/.newsbeuter

private-bin newsbeuter

# Redirect
include newsboat.profile

So should I create newsbeuter.local manually? And then: should I place it in /etc/firejail as well?

Greetings.
Rosika

[rusty-snake]

So should I create newsbeuter.local manually? And then: should I place it in /etc/firejail as well?

Yes. Yes or in .config/firejail. Alternative you can put it in your newsbeuter.profile anywhere before the # Redirect.

Uhh and maybe you need to also mkdir and whitelist ${HOME}/.w3m.

[Rosika2]

@rusty-snake:
Hi and thanks again.
I did all you suggested but unfortunately it still doesn´t work . w3m won´t open up.
I put the newsbeuter.profile in ~/.config.firejail and now it looks like that:

# Firejail profile for Newsboat
# Description: Text based Atom/RSS feed reader
# This file is overwritten after every install/update
# Persistent local customizations
include newsbeuter.local
# Persistent global definitions
# added by included profile
#include globals.local

noblacklist ${HOME}/.config/newsbeuter
noblacklist ${HOME}/.newsbeuter

mkdir ${HOME}/.config/newsbeuter
mkdir ${HOME}/.newsbeuter
mkdir ${HOME}/.w3m
whitelist ${HOME}/.config/newsbeuter
whitelist ${HOME}/.newsbeuter
whitelist ${HOME}/.w3m

private-bin newsbeuter
noblacklist ${HOME}/.w3m
include allow-perl.inc
ignore private-bin
ignore memory-deny-write-execute

# Redirect
include newsboat.profile

Using the command firejail --private-bin=sh,w3m --private-etc=w3m newsbeuter still won´t trigger w3m as browser. In fact it has no effect at all.
Terminal says:

firejail --private-bin=sh,w3m --private-etc=w3m newsbeuter
Reading profile /home/rosika/.config/firejail/newsbeuter.profile
Reading profile /etc/firejail/allow-perl.inc
Reading profile /etc/firejail/newsboat.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 14769, child pid 14770
Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode
Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode
Warning: skipping crypto-policies for private /etc
Private /etc installed in 24.56 ms
4 programs installed in 9.42 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 5949200269312.00 ms
XDG: Datenverzeichnis '/home/rosika/.local/share/newsbeuter' nicht zugänglich, benutze stattdessen '/home/rosika/.newsbeuter'.
Starte newsbeuter 2.9...
Lade Konfiguration...Fertig.
Öffne Zwischenspeicher...Fertig.
Lade URLs von /home/rosika/.newsbeuter/urls...Fertig.
Lade Artikel aus dem Zwischenspeicher...Fertig.
sh: 1: lynx: Permission denied
sh: 1: lynx: Permission denied
sh: 1: lynx: Permission denied
Bereinige Zwischenspeicher...Fertig.

Parent is shutting down, bye...

Greetings.
Rosika

[Minoru]

sh: 1: lynx: Permission denied

Have you added browser "w3m" to /home/rosika/.newsbeuter/config? Looks like you didn't, and it tries to run lynx (which is the default browser).

[Rosika2]

@Minoru:
Hi Alexander,
thanks.
Well, I created the config-file: touch ~/.newsbeuter/config and then put browser "w3m" as the single entry in it.
Now firejail --private-bin=sh,w3m --private-etc=w3m newsbeuter partly works.
Pressing "o" opens up w3m alright but doesn´t display anything.
The last line says: "<< Viiewing [SSL] <...> No Line"

Thanks again.
Greetings. Rosika.

[rusty-snake]

XDG: Datenverzeichnis '/home/rosika/.local/share/newsbeuter' nicht zugänglich, benutze stattdessen '/home/rosika/.newsbeuter'.

noblacklist ${HOME}/.local/share/newsbeuter + whitelist + mkdir ( + blacklist in disable-programs.inc) to fix this.

Can you try it with firejail newsbeuter. w3m needs perl and maybe other things, so I would first get it to run w/o private-bin and then figure out which programs are needed.

[Rosika2]

@rusty-snake:
O.K. But how exactly? Do I understand it correctly this way:

noblacklist ${HOME}/.local/share/newsbeuter
mkdir ${HOME}/.local/share/newsbeuter
whitelist ${HOME}/.local/share/newsbeuter

in the newsbeuter.profile and

# newsbeuter
blacklist ${HOME}/.local/share/newsbeuter

in disable-programs.inc ?

[Minoru]

@rusty-snake

XDG: Datenverzeichnis '/home/rosika/.local/share/newsbeuter' nicht zugänglich, benutze stattdessen '/home/rosika/.newsbeuter'.

noblacklist ${HOME}/.local/share/newsbeuter + whitelist + mkdir ( + blacklist in disable-programs.inc) to fix this.

Oh, this isn't an error in need of fixing, it's just a message. Newsbeuter checks if XDG dir is available, and if not, it falls back to the dotdir. Further on we see that ~/.newsbeuter/urls is loaded just fine; that indicates that @Rosika2 is indeed using the dotdir. (Though I understand that the general-purpose Firejail profile would whitelist both dirs)

I think @Rosika2 should concentrate on running w3m standalone. Is Firejail blocking network access for it? I don't see any other reason for w3m to start but fail to connect to the site.

[rusty-snake]

(Though I understand that the general-purpose Firejail profile would whitelist both dirs)

It should, will fix this later.

Is Firejail blocking network access for it?

No, but AF_UNIX sockets. @Rosika2 add also protocol unix,inet,inet6. disable-exec.inc isn't included in the w3m profile. IDK, but I don't think that this is it.

[Rosika2]

@Minoru:
Hi and thanks for the comment.

I think @Rosika2 should concentrate on running w3m standalone

Yes, I think that´s the best way.

Tnx for your help.
Greetings
Rosika

[Rosika2]

@rusty-snake:
Thanks.

add also protocol unix,inet,inet6

Sorry for asking again, bute where should I put the entries? In the w3m-profile?

[rusty-snake]

No, in the newsbeuter.profile/.local.

[Rosika2]

@rusty-snake:
Thanks. Yet I seem to be mentally blocked or incapacitated.
I´ve got the newsbeuter.profile alright. But what and where is the "local"-part of
newsbeuter.profile/.local?

Sorry for asking again.

[Rosika2]

I just looked up newsbeuter.profile. It says:
include newsbeuter.local.
But I´ve got no such file.

[rusty-snake]

The system behind this is that /etc/firejail/newsbeuter.profile is overridden on every update of firejail. If you want to customize it, you could copy it to ~/.config/firejail/newsbeuter.proifle, but then you don't get fixes/new feature on the next update. There fore every profile has a include profile_name.local which is not distributed with firejail and must be created by the user if he/she want (small) changes in a profile. There is also a globals.local for options applied to every profile.

[Rosika2]

@rusty-snake:
Thanks for the clarification. O.K. I´ve learnt something new again.

I now I´ve created the file with touch /etc/firejail/newsbeuter.local and put protocol unix,inet,inet6 in it.
In /home/rosika/.newsbeuter/config I put browser "w3m".
The command I used is firejail --private-bin=sh,w3m --private-etc=w3m newsbeuter .
But the problem remains.

Pressing "o" opens up w3m.
"Opening socket" .... and then the web-site should displayed but it remains empty. "No Line".
Pressing "c" however yields the respective url.
In my example: www.zdf.de/nachrichten/panorama/stars-promi-news-bilder-aktuell-april-100.html

Well, we certainly did all we could. It seems w3m is not cut out for this purpose.
I think I´ll have to stick to lynx then.
That doesn´t really matter much. It´s just that I like w3m better. But that´s rather a "luxury problem".

So sorry to have taken up so much of your time.
But your help is much appreciated and I´ve learnt quite a few things, too.

Thanks again to @rusty-snake and @Minoru . Have a nice and healthy weekend.

Greetings.
Rosika

[rusty-snake]

@Rosika2 have you tried it with only firejail newsbeuter? as I sayed above w3m needs perl and maybe some other stuff.

[Rosika2]

@rusty-snake:
Yes, I´ve tried but that´s even worse.
Newsbeuter works alright but w3m won´t open up at all. Pressing "o" has no effect at all.
Here´s the terminal output:

firejail newsbeuter
Reading profile /home/rosika/.config/firejail/newsbeuter.profile
Reading profile /etc/firejail/newsbeuter.local
Reading profile /etc/firejail/allow-perl.inc
Reading profile /etc/firejail/newsboat.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Warning: two protocol lists are present, "unix,inet,inet6" will be installed
Parent pid 11079, child pid 11080
Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode
Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode
Warning: skipping crypto-policies for private /etc
Private /etc installed in 21.32 ms
1 program installed in 3.85 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 5938679382016.00 ms
XDG: Datenverzeichnis '/home/rosika/.local/share/newsbeuter' nicht zugänglich, benutze stattdessen '/home/rosika/.newsbeuter'.
Starte newsbeuter 2.9...
Lade Konfiguration...Fertig.
Öffne Zwischenspeicher...Fertig.
Lade URLs von /home/rosika/.newsbeuter/urls...Fertig.
Lade Artikel aus dem Zwischenspeicher...Fertig.
Bereinige Zwischenspeicher...Fertig.

Parent is shutting down, bye...

[Rosika2]

No idea if it helps at all.
The weirdest thing:
Although not displaying the website-content at all ("No Line") w3m seems to be functional after all.

When typing an URL directly (example: ubuntuusers.de) after typing "U" for direct url-entry,
the website is displayed alright!

[Minoru]

That sounds like Newsbeuter doesn't pass the URL to w3m, but I just took a look at the relevant part of the code and it seems impossible =\ (The code didn't change much since then, so it should work the same even if your distro backported some newer changes)

[Rosika2]

@Minoru:
Thanks for looking that up.
Even weirder:
Only some urls are working. Like ubuntuusers.de which loads perfectly.
But e.g. linuxquestions.org yields the same empty screen with the "No Lines" remark.

But it´s not a specific w3m-problem as both sites (and every site for that matter) load perfectly when starting a standalone instance of w3m.
It´s just the interaction of w3m and newsbeuter that creates this weirdness.

Never mind. As already said, I´ll go for lynx then.

Thanks so much.
Greetings. Rosika

[Minoru]

@Rosika2, if you don't mind, I'd still like to delve a bit deeper.

1. Can you reproduce this without Firejail?

2. If you have Newsboat installed, can you reproduce it there?

If this is a bug in Newsbeuter and it still exists in Newsboat, I'd like to know about it. Thanks!

[Rosika2]

@Minoru:
Hi Alexander and thank you so much for your persistence.

Can you reproduce this without Firejail?

Well, I´ll be blessed. Up and until now I´ve never tried this.
I did the following:
touch /home/rosika/.newsbeuter/alternative_config2
and filled alterrnative_config2 with the following content:

auto-reload yes
reload-time 30
browser "w3m"
color background          white   black
color listnormal          white   black
color listfocus           yellow  blue   bold
color listnormal_unread   magenta black
color listfocus_unread    magenta blue   bold
color info                yellow  blue   bold
color article             white   black

The command newsbeuter -C /home/rosika/.newsbeuter/alternative_config2
really works as desired.
Newsbeuter performs perfectly together with w3m, which opens up the url alright.
So the issue seems to be rooted in firejail.

If you have Newsboat installed, can you reproduce it there?

I don´t have newsboat. Yet I may install it.
apt-cache show newsboat says:

[...] Successor of newsbeuter [...]

So before installing it: do you know if I can install it alongside newsbeuter?

Greetings. Rosika

[Minoru]

The command newsbeuter -C /home/rosika/.newsbeuter/alternative_config2 really works as desired.

Great, thanks!

do you know if I can install it alongside newsbeuter?

Yes, you can. Newsboat stores its data in ~/.newsboat, so it won't conflict with Newsbeuter. On the first run, Newsboat will copy data from Newsbeuter; afterwards, it'll keep using its own copy.

[Rosika2]

@Minoru:
Hi again and thanks for he info and the link. Much appreciated.

Now that I´ve successfully installed newsboat I can tell you the following:

These commands do work with lynx or w3m as browser:

• newsboat
• firejail --profile=/etc/firejail/default.profile newsboat
• firejail --noprofile newsboat

This doesn´t work:

• firejail newsboat
  That way newsboat doesn´t seem to be able to read the urls-file:

firejail newsboat
Reading profile /etc/firejail/newsboat.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 8563, child pid 8564
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 26.96 ms
1 program installed in 9.12 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 120.99 ms
Starting newsboat 2.10.2...
Loading configuration...done.
Opening cache...done.
Loading URLs from /home/rosika2/.newsboat/urls...done.
Error: no URLs configured. Please fill the file /home/rosika2/.newsboat/urls with RSS feed URLs or import an OPML file.

newsboat 2.10.2 [...]

Greetings. Rosika

[Minoru]

firejail newsboat
That way newsboat doesn´t seem to be able to read the urls-file:

I guess this needs to be fixed in order for us to check if the bug is reproducible with Newsboat.
Newsboat's profile appears to whitelist access to ~/.newsboat, so I wonder what's going on. @Rosika2, you sure the urls file is not empty? @rusty-snake, do you have any insights into this (perhaps whitelisting doesn't mean what I think it means)?

[Rosika2]

Hi,

@Rosika2, you sure the urls file is not empty?

Yes, the urls-file is definitively filled with my example-entries.

N E W_I N F O R M A T I O N :

(don´t know if it helps at all):

Now I performed a direct comparison of those commands:

firejail --profile=/etc/firejail/default.profile newsboat -C /home/rosika2/.config/newsboat/alternative_config2
and
firejail --profile=/etc/firejail/default.profile newsbeuter -C /home/rosika2/.newsbeuter/alternative_config2

There´s a fundamental difference between them:

The newsboat-command works perfectly (including all browsers)
The newsbeuter-command fails to even start:

firejail --profile=/etc/firejail/default.profile newsbeuter -C /home/rosika2/.newsbeuter/alternative_config2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 9819, child pid 9820
Warning: cleaning all supplementary groups
Child process initialized in 40.45 ms
XDG: configuration directory '/home/rosika2/.config/newsbeuter' not accessible, using '/home/rosika2/.newsbeuter' instead.
Starting newsbeuter 2.9...
Error: an instance of newsbeuter is already running (PID: 0)  # ???????????????????

Parent is shutting down, bye...

There´s definitively no instance of newsbeuter running. I don´t understand the error-message.

Greetings. Rosika

[Minoru]

Error: an instance of newsbeuter is already running (PID: 0)

The most common cause for this is "wrong" location for the cache file, but I don't see this happening in your case. Another reason might be inaccessible location for the cache file, but again, this doesn't look like your case. (We intend to improve the message in Newsboat, just haven't gotten around to it yet; see newsboat/newsboat#314)

@Rosika2, thanks for keeping digging! Can you try without -C? Would results be the same?

(I understand Newsboat works fine, so technically I'm all done here, but I'm puzzled by Newsbeuter behaving like it does. It should work the same as Newsboat here, I don't see any material difference in this regard)

[Rosika2]

Hi and thanks for the link,

thanks for keeping digging!

You´re welcome. It´s my pleasure.

firejail --profile=/etc/firejail/default.profile newsbeuter
also fails to start. The same as before.

firejail --profile=/etc/firejail/default.profile newsboat
works well (including both browsers)

I understand Newsboat works fine

Yes, but only when using the default.profile. If the newsboat.profile is loaded pressing "o" won´t trigger any browser at all.

Thank you so much for your help.
Greetings. Rosika

[Minoru]

firejail --profile=/etc/firejail/default.profile newsbeuter also fails to start. The same as before.

I'm out of ideas now. :( Firejail profile looks okay to me, and if Newsbeuter works outside of Firejail, I don't see why it should fail inside it. Sorry for taking up so much of your time investigating this, @Rosika2.

If the newsboat.profile is loaded pressing "o" won´t trigger any browser at all.

Got it. @rusty-snake, perhaps newsboat.profile should include lynx.profile, so the default configuration works without any intervention from the user? I don't know anything about Firejail, though; if it's hard to "subtract" profiles later, i.e. deny access to lynx once the user switches to some other browser, I'd understand why lynx is not part of newsboat.profile.

[Rosika2]

@Minoru:

Sorry for taking up so much of your time investigating this,

That´s really O.K.
I´m glad for your help and I´ve learnt a lot, to say the least.
Anyway I can proceed now with using newsbeuter and newsboat as well.

So thank you again for your help and persistence.
Have a nice (and healthy) Sunday and many greetings.
Rosika

[matu3ba]

@Minoru This would mean user-based installation derivement of the setup or dynamic loading. Additionally this would mean even more complexity on maintaining.
I will formulate something in the issue formular about the interaction of programs/default programs.

[rusty-snake]

I can't really follow this anymore, if there's anything left please post it.

FYI: default.profile includes disable-programs.inc which blacklists ~/.newsbeuter and so on.

[Rosika2]

@rusty-snake:
Thank you so much for your help.
Tnx also for the default.profile explanation.

Greetings. Rosika

[Rosika2]

@ALL:
UPDATE
Sorry for getting back to you again although we decided to close the thread but I just want to let anybody who is interested know: S U C C E S S !!!!!!!!

You wouldn´t believe but I finally got it running the way I wanted to.
What I did was the following:

I took the command
firejail--ignore=disable-mnt --ignore=private-bin --ignore=private-etc --ignore=memory-deny-write-execute --ignore=protocol --ignore=tracelog --ignore=nosound --ignore=nodbus --ignore=ipc-namespace --noblacklist=/tmp/.X11-unix '--noblacklist=${RUNUSER}/wayland-*' newsbeuter
which @rusty-snake suggested 18 days ago.

To be more precise: I used these firejail-options with
newsbeuter -C /home/rosika/.newsbeuter/alternative_config2
The alternative_config2 looks like this:

auto-reload yes
reload-time 30
browser "w3m"
color background          white   black
color listnormal          white   black
color listfocus           yellow  blue   bold
color listnormal_unread   magenta black
color listfocus_unread    magenta blue   bold
color info                yellow  blue   bold
color article             white   black

And now it worked. w3m opens up alright, plus: it doesn´t show "No Line" any more but displays the website correctly.
As a second step I took away one option after another to see whether the reduced command still worked.
I finally arrived at this minimal working command:
firejail --ignore=private-bin newsbeuter -C /home/rosika/.newsbeuter/alternative_config2
So after all the investigation it seems that --ignore=private-bin holds the key to success.

Thanks again to all of you for your help.
Greetings.
Rosika