Bug 2214298

Summary: selinux prevents widevine from running for users with home on nfs
Product: Red Hat Enterprise Linux 9 Reporter: Tomasz Kepczynski <tomek>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: VERIFIED --- QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: apeetham, lvrabec, mmalik, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.20-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-08-08   

Description Tomasz Kepczynski 2023-06-12 14:02:41 UTC 
Description of problem:
As in title really. I have a few users which use NFS home directories and at least the two of them cannot what or listen to any DRM content, widevine plugin just crashes.
I also CAN use widevine on very similar setup with different user. The difference, as it turns out is that home directory is local.
I've been puzzled by this for long time and couldn't figure out what's the problem until I've got the following alert from selinux troubleshooter:

>>>

SELinux is preventing /usr/lib64/firefox/plugin-container from execute access on the file /home/stas/.mozilla/firefox/tume5q04.default-1522558463886-1646759468485/gmp-widevinecdm/4.10.2557.0/libwidevinecdm.so.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-container should be allowed execute access on the libwidevinecdm.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'MainThread' --raw | audit2allow -M my-MainThread
# semodule -X 300 -i my-MainThread.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:nfs_t:s0
Target Objects                /home/stas/.mozilla/firefox/tume5q04.default-15225
                              58463886-1646759468485/gmp-
                              widevinecdm/4.10.2557.0/libwidevinecdm.so [ file ]
Source                        MainThread
Source Path                   /usr/lib64/firefox/plugin-container
Port                          <Unknown>
Host                          geralt.jot23.net
Source RPM Packages           firefox-102.11.0-2.el9_2.alma.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Local Policy RPM              selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     geralt.jot23.net
Platform                      Linux geralt.jot23.net
                              5.14.0-284.11.1.el9_2.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue May 9 05:49:00 EDT 2023 x86_64
                              x86_64
Alert Count                   1
First Seen                    2023-06-12 15:51:23 CEST
Last Seen                     2023-06-12 15:51:23 CEST
Local ID                      1cae25af-93dd-4aef-8f73-3af28f0fe913

Raw Audit Messages
type=AVC msg=audit(1686577883.687:165): avc:  denied  { execute } for  pid=3405 comm="MainThread" path="/home/stas/.mozilla/firefox/tume5q04.default-1522558463886-1646759468485/gmp-widevinecdm/4.10.2557.0/libwidevinecdm.so" dev="0:53" ino=3541558 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1686577883.687:165): arch=x86_64 syscall=mmap success=no exit=EACCES a0=7fa810e2c000 a1=5a6000 a2=5 a3=812 items=0 ppid=2647 pid=3405 auid=20000006 uid=20000006 gid=20000006 euid=20000006 suid=20000006 fsuid=20000006 egid=20000006 sgid=20000006 fsgid=20000006 tty=(none) ses=5 comm=MainThread exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: MainThread,mozilla_plugin_t,nfs_t,file,execute

<<<

/home/stas is NFS share.

The point is that loading the suggested module immediately helped. Here is the module:

>>>

geralt:~/tmp# cat my-MainThread.te 

module my-MainThread 1.0;

require {
        type mozilla_plugin_t;
        type nfs_t;
        class file execute;
}

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t nfs_t:file execute;

<<<

Not sure if this should be the solution, in ideal world setting use_nfs_home_dirs to 1 should suffice (by the way - it IS set to 1).

Version-Release number of selected component (if applicable):
selinux-policy-38.1.11-2.el9_2.2.noarch
selinux-policy-targeted-38.1.11-2.el9_2.2.noarch

How reproducible:
ALWAYS

Actual results:
Widevine doesn't load, cannot use DRM in Firefox.

Expected results:
Widevine works.

Additional info:
I've seen it at least since previous major RHEL version (8), but used CentOS and AlmaLinux back then. The above information comes from AlmaLinux 9.2, not RHEL.
Comment 1 Nikola Knazekova 2023-06-15 08:13:37 UTC 
Hi Tomasz,

Do you know what is executing in that path? 

Can you reproduce the issue in permissive mode with full auditing enabled?

Permissive mode:
# setenforce 0

Full Audit:
1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today


Thank you,
Nikola
Comment 2 Tomasz Kepczynski 2023-06-15 17:41:43 UTC 
I believe this is the only relevant entry (the rest is /usr/bin/plasmashell):

----
type=PROCTITLE msg=audit(15.06.2023 19:37:06.157:2349) : proctitle=/usr/lib64/firefox/plugin-container /home/tomek/.mozilla/firefox/default/gmp-widevinecdm/4.10.2557.0 13316 gmplugin 
type=MMAP msg=audit(15.06.2023 19:37:06.157:2349) : fd=17 flags=MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE 
type=SYSCALL msg=audit(15.06.2023 19:37:06.157:2349) : arch=x86_64 syscall=mmap success=yes exit=139730748620800 a0=0x7f1599a2c000 a1=0x5a6000 a2=PROT_READ|PROT_EXEC a3=MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE items=0 ppid=13316 pid=13774 auid=tomek uid=tomek gid=tomek euid=tomek suid=tomek fsuid=tomek egid=tomek sgid=tomek fsgid=tomek tty=(none) ses=3 comm=MainThread exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(15.06.2023 19:37:06.157:2349) : avc:  denied  { execute } for  pid=13774 comm=MainThread path=/home/tomek/.mozilla/firefox/default/gmp-widevinecdm/4.10.2557.0/libwidevinecdm.so dev="0:55" ino=4607770 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1 
----
Comment 3 Nikola Knazekova 2023-08-01 19:14:39 UTC 
PR: https://github.com/fedora-selinux/selinux-policy/pull/1809