Bug 1394571 - widevine/plugin container issue with selinux
Summary: widevine/plugin container issue with selinux
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-13 17:49 UTC by Davide Corrado
Modified: 2016-11-14 15:38 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-14 15:38:20 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Davide Corrado 2016-11-13 17:49:46 UTC 
Description of problem: SELinux issue

netflix can be tricked into thinking your firefox session is a chrome session (using a plugin), so widevine can be used instead of other drm solutions (ie silverlight). Anyway, in my current installation, plugin container is blocked by selinux

Version-Release number of selected component (if applicable):
24

How reproducible:
install user-agent-switcher and select chrome on linux for www.netflix.com, visit netflix, install drm (widevine), try to watch anything

Steps to Reproduce:
1. read above
2.
3.

Actual results:
not playback

Expected results:
playback

Additional info:


selinux debug:

SELinux is preventing plugin-containe from 'read, write' accesses on the chr_file /dev/tty2.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-containe should be allowed read write access on the tty2 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine
# semodule -X 300 -i my-plugincontaine.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:tty_device_t:s0
Target Objects                /dev/tty2 [ chr_file ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          deathstar.XXX
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.17.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     deathstar.XXX
Platform                      Linux deathstar.kicks-ass.org
                              4.7.5-200.fc24.x86_64 #1 SMP Mon Sep 26 21:25:47
                              UTC 2016 x86_64 x86_64
Alert Count                   8
First Seen                    2016-10-06 10:05:03 CEST
Last Seen                     2016-10-06 17:54:18 CEST
Local ID                      529a1d98-ebf6-47fc-9577-5c71c93f09a2

Raw Audit Messages
type=AVC msg=audit(1475769258.215:446): avc:  denied  { read write } for  pid=28603 comm="plugin-containe" path="/dev/tty2" dev="devtmpfs" ino=1043 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0


Hash: plugin-containe,mozilla_plugin_t,tty_device_t,chr_file,read,write

and:

SELinux is preventing plugin-containe from sys_admin access on the cap_userns Unknown.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-containe should be allowed sys_admin access on the Unknown cap_userns by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine
# semodule -X 300 -i my-plugincontaine.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Objects                Unknown [ cap_userns ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          deathstar.XXX
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.20.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     deathstar.kicks-ass.org
Platform                      Linux deathstar.XXX
                              4.8.6-201.fc24.x86_64 #1 SMP Thu Nov 3 14:38:57
                              UTC 2016 x86_64 x86_64
Alert Count                   19
First Seen                    2016-11-13 12:07:22 CET
Last Seen                     2016-11-13 12:40:54 CET
Local ID                      50cd47a8-3f53-47b2-a8a2-41f63e05e89d

Raw Audit Messages
type=AVC msg=audit(1479037254.106:322): avc:  denied  { sys_admin } for  pid=4196 comm="plugin-containe" capability=21  scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0


Hash: plugin-containe,mozilla_plugin_t,mozilla_plugin_t,cap_userns,sys_admin
Note You need to log in before you can comment on or make changes to this bug.