| Summary: | widevine/plugin container issue with selinux | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Davide Corrado <davide.corrado> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, ssekidde |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-14 15:38:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Description of problem: SELinux issue netflix can be tricked into thinking your firefox session is a chrome session (using a plugin), so widevine can be used instead of other drm solutions (ie silverlight). Anyway, in my current installation, plugin container is blocked by selinux Version-Release number of selected component (if applicable): 24 How reproducible: install user-agent-switcher and select chrome on linux for www.netflix.com, visit netflix, install drm (widevine), try to watch anything Steps to Reproduce: 1. read above 2. 3. Actual results: not playback Expected results: playback Additional info: selinux debug: SELinux is preventing plugin-containe from 'read, write' accesses on the chr_file /dev/tty2. ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that plugin-containe should be allowed read write access on the tty2 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine # semodule -X 300 -i my-plugincontaine.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:tty_device_t:s0 Target Objects /dev/tty2 [ chr_file ] Source plugin-containe Source Path plugin-containe Port <Unknown> Host deathstar.XXX Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.17.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name deathstar.XXX Platform Linux deathstar.kicks-ass.org 4.7.5-200.fc24.x86_64 #1 SMP Mon Sep 26 21:25:47 UTC 2016 x86_64 x86_64 Alert Count 8 First Seen 2016-10-06 10:05:03 CEST Last Seen 2016-10-06 17:54:18 CEST Local ID 529a1d98-ebf6-47fc-9577-5c71c93f09a2 Raw Audit Messages type=AVC msg=audit(1475769258.215:446): avc: denied { read write } for pid=28603 comm="plugin-containe" path="/dev/tty2" dev="devtmpfs" ino=1043 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 Hash: plugin-containe,mozilla_plugin_t,tty_device_t,chr_file,read,write and: SELinux is preventing plugin-containe from sys_admin access on the cap_userns Unknown. ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that plugin-containe should be allowed sys_admin access on the Unknown cap_userns by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine # semodule -X 300 -i my-plugincontaine.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Objects Unknown [ cap_userns ] Source plugin-containe Source Path plugin-containe Port <Unknown> Host deathstar.XXX Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.20.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name deathstar.kicks-ass.org Platform Linux deathstar.XXX 4.8.6-201.fc24.x86_64 #1 SMP Thu Nov 3 14:38:57 UTC 2016 x86_64 x86_64 Alert Count 19 First Seen 2016-11-13 12:07:22 CET Last Seen 2016-11-13 12:40:54 CET Local ID 50cd47a8-3f53-47b2-a8a2-41f63e05e89d Raw Audit Messages type=AVC msg=audit(1479037254.106:322): avc: denied { sys_admin } for pid=4196 comm="plugin-containe" capability=21 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 Hash: plugin-containe,mozilla_plugin_t,mozilla_plugin_t,cap_userns,sys_admin