Description of problem: The default SELinux policy prevents running Netflix with Firefox 49 and its DRM plugin. This is now (as far as I'm aware) the only option on vanilla Fedora to access such content. Version-Release number of selected component (if applicable): Installed Packages Name : firefox Arch : x86_64 Epoch : 0 Version : 49.0 Release : 2.fc24 Size : 133 M Repo : @System From repo : updates Installed Packages Name : selinux-policy Arch : noarch Epoch : 0 Version : 3.13.1 Release : 191.16.fc24 Size : 18 k Repo : @System From repo : updates How reproducible: Always. Steps to Reproduce: 1. Enable DRM plugin: Preferences > Content > Play DRM content 2. Install Useragent spoofing plugin and set for Netfilx: Linux / Chrome 53: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/53.0.2785.34 Safari/537.36 3. Login to Netflix and try playing content. Actual results: SELinux warnings and page not loading or sometimes showing an error. Expected results: Playing video. Additional info: I first confirmed that this was an SELinux issue with the following temporarily: sudo setenforce 0 Then after a reboot to make sure temporary SELinux settings were reset I added policies for each repored SELinux issue: First Netflix SELinux Error SELinux is preventing plugin-containe from sys_admin access on the cap_userns Unknown. ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that plugin-containe should be allowed sys_admin access on the Unknown cap_userns by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine # semodule -X 300 -i my-plugincontaine.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Objects Unknown [ cap_userns ] Source plugin-containe Source Path plugin-containe Port <Unknown> Host nixon Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.16.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name nixon Platform Linux nixon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep 15 18:42:09 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-09-29 06:43:10 BST Last Seen 2016-09-29 06:43:10 BST Local ID 952e043d-a922-4b48-892b-16db06883516 Raw Audit Messages type=AVC msg=audit(1475127790.214:244): avc: denied { sys_admin } for pid=2764 comm="plugin-containe" capability=21 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 Hash: plugin-containe,mozilla_plugin_t,mozilla_plugin_t,cap_userns,sys_admin Explain ~/s/S/Netflix xsel | audit2why type=AVC msg=audit(1475127790.214:244): avc: denied { sys_admin } for pid=2764 comm="plugin-containe" capability=21 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. ~/s/S/Netflix xsel | audit2allow -M netflix-cap_userns ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i netflix-cap_userns.pp ~/s/S/Netflix sudo semodule -i netflix-cap_userns.pp Second Netflix SELinux Error SELinux is preventing plugin-containe from create access on the directory mozsandbox.QegAkQ. ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that plugin-containe should be allowed create access on the mozsandbox.QegAkQ directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine # semodule -X 300 -i my-plugincontaine.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:tmpfs_t:s0 Target Objects mozsandbox.QegAkQ [ dir ] Source plugin-containe Source Path plugin-containe Port <Unknown> Host nixon Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.16.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name nixon Platform Linux nixon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep 15 18:42:09 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-09-29 06:54:50 BST Last Seen 2016-09-29 06:54:50 BST Local ID 86d54337-b18d-41ab-9ec0-9fc292bafa0f Raw Audit Messages type=AVC msg=audit(1475128490.528:262): avc: denied { create } for pid=3389 comm="plugin-containe" name="mozsandbox.QegAkQ" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 Hash: plugin-containe,mozilla_plugin_t,tmpfs_t,dir,create Explain ~/s/S/Netflix xsel | audit2why type=AVC msg=audit(1475128490.528:262): avc: denied { create } for pid=3389 comm="plugin-containe" name="mozsandbox.QegAkQ" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. ~/s/S/Netflix xsel | audit2allow -M netflix-create-mozsandbox ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i netflix-create-mozsandbox.pp ~/s/S/Netflix sudo semodule -i netflix-create-mozsandbox.pp Third Netflix SELinux Error SELinux is preventing plugin-containe from rmdir access on the directory mozsandbox.K0JgRG. ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that plugin-containe should be allowed rmdir access on the mozsandbox.K0JgRG directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine # semodule -X 300 -i my-plugincontaine.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:tmpfs_t:s0 Target Objects mozsandbox.K0JgRG [ dir ] Source plugin-containe Source Path plugin-containe Port <Unknown> Host nixon Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.16.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name nixon Platform Linux nixon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep 15 18:42:09 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-09-29 07:06:08 BST Last Seen 2016-09-29 07:06:08 BST Local ID 4234b395-23d8-46b8-8caf-aa6acac1d4c2 Raw Audit Messages type=AVC msg=audit(1475129168.287:313): avc: denied { rmdir } for pid=4124 comm="plugin-containe" name="mozsandbox.K0JgRG" dev="tmpfs" ino=40532 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 Hash: plugin-containe,mozilla_plugin_t,tmpfs_t,dir,rmdir Explain ~/s/S/Netflix xsel | audit2why type=AVC msg=audit(1475129168.287:313): avc: denied { rmdir } for pid=4124 comm="plugin-containe" name="mozsandbox.K0JgRG" dev="tmpfs" ino=40532 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. ~/s/S/Netflix xsel | audit2allow -M netflix-remove-mozsandbox ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i netflix-remove-mozsandbox.pp ~/s/S/Netflix sudo semodule -i netflix-remove-mozsandbox.pp Fourth Netflix SELinux Error SELinux is preventing plugin-containe from sys_chroot access on the cap_userns Unknown. ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that plugin-containe should be allowed sys_chroot access on the Unknown cap_userns by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine # semodule -X 300 -i my-plugincontaine.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Objects Unknown [ cap_userns ] Source plugin-containe Source Path plugin-containe Port <Unknown> Host nixon Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.16.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name nixon Platform Linux nixon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep 15 18:42:09 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-09-29 07:14:00 BST Last Seen 2016-09-29 07:14:00 BST Local ID 69d3a704-a877-4fdc-a195-c6eae5bd642d Raw Audit Messages type=AVC msg=audit(1475129640.777:348): avc: denied { sys_chroot } for pid=4567 comm="plugin-containe" capability=18 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 Hash: plugin-containe,mozilla_plugin_t,mozilla_plugin_t,cap_userns,sys_chroot Explain ~/s/S/Netflix xsel | audit2why type=AVC msg=audit(1475129640.777:348): avc: denied { sys_chroot } for pid=4567 comm="plugin-containe" capability=18 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. ~/s/S/Netflix xsel | audit2allow -M netflix-chroot-cap_userns ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i netflix-chroot-cap_userns.pp ~/s/S/Netflix sudo semodule -i netflix-chroot-cap_userns.pp
Looks like firefox now has usernamespace support also, need similar changes to Chrome.
This problem happens with a GNOME notification for the sealert, booted live or cleanly installed with Fedora-Workstation-Live-x86_64-25-20161017.n.0.iso which has selinux-policy-3.13.1-219.fc25.noarch. Raw Audit Messages type=AVC msg=audit(1477251005.677:195): avc: denied { sys_admin } for pid=2000 comm="plugin-containe" capability=21 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
Proposed as a Blocker for 25-final by Fedora user chrismurphy using the blocker tracking app because: "All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test." I think watching video is a pretty basic requirement for a browser, I can certainly do this on Windows and macOS, Netflix is entertainment therefore maybe not a critical thing, but I can reproduce this with various news sites also e.g. nbcnews.com requires the DRM components to be installed into FireFox but selinux is inhibiting it from working. "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." This criterion probably doesn't apply because the sealert notification doesn't happen on boot, during install, or at first login. It does happen after first login *if* the user launches Firefox and goes to such a DRM requiring site. But I don't think that's what's meant by this criterion.
Works fine with google-chrome-stable-54.0.2840.59-1.x86_64 without modifications, so that's a possible work around. But I still think this violates the basic functionality criterion since the default browser can't do this out of the box.
Discussed during the 2016-10-24 blocker review meeting: [1] The decision to classify this bug as a RejectedBlocker and AcceptedFreezeException was made as this does not meet the “Basic Functionality” criteria, but is a common-use-case that would be good to fix. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-10-24/f25-blocker-review.2016-10-24-16.01.txt
Issue fixed on Rawhide, F25, F24
selinux-policy-3.13.1-191.21.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-abb3ede5d5
selinux-policy-3.13.1-191.21.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-abb3ede5d5
selinux-policy-3.13.1-191.21.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.