Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionTomasz Kepczynski
2023-06-12 14:02:41 UTC
Description of problem:
As in title really. I have a few users which use NFS home directories and at least the two of them cannot what or listen to any DRM content, widevine plugin just crashes.
I also CAN use widevine on very similar setup with different user. The difference, as it turns out is that home directory is local.
I've been puzzled by this for long time and couldn't figure out what's the problem until I've got the following alert from selinux troubleshooter:
>>>
SELinux is preventing /usr/lib64/firefox/plugin-container from execute access on the file /home/stas/.mozilla/firefox/tume5q04.default-1522558463886-1646759468485/gmp-widevinecdm/4.10.2557.0/libwidevinecdm.so.
***** Plugin mozplugger (99.1 confidence) suggests ************************
If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0
***** Plugin catchall (1.81 confidence) suggests **************************
If you believe that plugin-container should be allowed execute access on the libwidevinecdm.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'MainThread' --raw | audit2allow -M my-MainThread
# semodule -X 300 -i my-MainThread.pp
Additional Information:
Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
0.c1023
Target Context system_u:object_r:nfs_t:s0
Target Objects /home/stas/.mozilla/firefox/tume5q04.default-15225
58463886-1646759468485/gmp-
widevinecdm/4.10.2557.0/libwidevinecdm.so [ file ]
Source MainThread
Source Path /usr/lib64/firefox/plugin-container
Port <Unknown>
Host geralt.jot23.net
Source RPM Packages firefox-102.11.0-2.el9_2.alma.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Local Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name geralt.jot23.net
Platform Linux geralt.jot23.net
5.14.0-284.11.1.el9_2.x86_64 #1 SMP
PREEMPT_DYNAMIC Tue May 9 05:49:00 EDT 2023 x86_64
x86_64
Alert Count 1
First Seen 2023-06-12 15:51:23 CEST
Last Seen 2023-06-12 15:51:23 CEST
Local ID 1cae25af-93dd-4aef-8f73-3af28f0fe913
Raw Audit Messages
type=AVC msg=audit(1686577883.687:165): avc: denied { execute } for pid=3405 comm="MainThread" path="/home/stas/.mozilla/firefox/tume5q04.default-1522558463886-1646759468485/gmp-widevinecdm/4.10.2557.0/libwidevinecdm.so" dev="0:53" ino=3541558 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1686577883.687:165): arch=x86_64 syscall=mmap success=no exit=EACCES a0=7fa810e2c000 a1=5a6000 a2=5 a3=812 items=0 ppid=2647 pid=3405 auid=20000006 uid=20000006 gid=20000006 euid=20000006 suid=20000006 fsuid=20000006 egid=20000006 sgid=20000006 fsgid=20000006 tty=(none) ses=5 comm=MainThread exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
Hash: MainThread,mozilla_plugin_t,nfs_t,file,execute
<<<
/home/stas is NFS share.
The point is that loading the suggested module immediately helped. Here is the module:
>>>
geralt:~/tmp# cat my-MainThread.te
module my-MainThread 1.0;
require {
type mozilla_plugin_t;
type nfs_t;
class file execute;
}
#============= mozilla_plugin_t ==============
allow mozilla_plugin_t nfs_t:file execute;
<<<
Not sure if this should be the solution, in ideal world setting use_nfs_home_dirs to 1 should suffice (by the way - it IS set to 1).
Version-Release number of selected component (if applicable):
selinux-policy-38.1.11-2.el9_2.2.noarch
selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
How reproducible:
ALWAYS
Actual results:
Widevine doesn't load, cannot use DRM in Firefox.
Expected results:
Widevine works.
Additional info:
I've seen it at least since previous major RHEL version (8), but used CentOS and AlmaLinux back then. The above information comes from AlmaLinux 9.2, not RHEL.
Hi Tomasz,
Do you know what is executing in that path?
Can you reproduce the issue in permissive mode with full auditing enabled?
Permissive mode:
# setenforce 0
Full Audit:
1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
# service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Thank you,
Nikola
Comment 2Tomasz Kepczynski
2023-06-15 17:41:43 UTC
I believe this is the only relevant entry (the rest is /usr/bin/plasmashell):
----
type=PROCTITLE msg=audit(15.06.2023 19:37:06.157:2349) : proctitle=/usr/lib64/firefox/plugin-container /home/tomek/.mozilla/firefox/default/gmp-widevinecdm/4.10.2557.0 13316 gmplugin
type=MMAP msg=audit(15.06.2023 19:37:06.157:2349) : fd=17 flags=MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE
type=SYSCALL msg=audit(15.06.2023 19:37:06.157:2349) : arch=x86_64 syscall=mmap success=yes exit=139730748620800 a0=0x7f1599a2c000 a1=0x5a6000 a2=PROT_READ|PROT_EXEC a3=MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE items=0 ppid=13316 pid=13774 auid=tomek uid=tomek gid=tomek euid=tomek suid=tomek fsuid=tomek egid=tomek sgid=tomek fsgid=tomek tty=(none) ses=3 comm=MainThread exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(15.06.2023 19:37:06.157:2349) : avc: denied { execute } for pid=13774 comm=MainThread path=/home/tomek/.mozilla/firefox/default/gmp-widevinecdm/4.10.2557.0/libwidevinecdm.so dev="0:55" ino=4607770 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1
----
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:6617