Description of problem: As in title really. I have a few users which use NFS home directories and at least the two of them cannot what or listen to any DRM content, widevine plugin just crashes. I also CAN use widevine on very similar setup with different user. The difference, as it turns out is that home directory is local. I've been puzzled by this for long time and couldn't figure out what's the problem until I've got the following alert from selinux troubleshooter: >>> SELinux is preventing /usr/lib64/firefox/plugin-container from execute access on the file /home/stas/.mozilla/firefox/tume5q04.default-1522558463886-1646759468485/gmp-widevinecdm/4.10.2557.0/libwidevinecdm.so. ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that plugin-container should be allowed execute access on the libwidevinecdm.so file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'MainThread' --raw | audit2allow -M my-MainThread # semodule -X 300 -i my-MainThread.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:nfs_t:s0 Target Objects /home/stas/.mozilla/firefox/tume5q04.default-15225 58463886-1646759468485/gmp- widevinecdm/4.10.2557.0/libwidevinecdm.so [ file ] Source MainThread Source Path /usr/lib64/firefox/plugin-container Port <Unknown> Host geralt.jot23.net Source RPM Packages firefox-102.11.0-2.el9_2.alma.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.2.noarch Local Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name geralt.jot23.net Platform Linux geralt.jot23.net 5.14.0-284.11.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Tue May 9 05:49:00 EDT 2023 x86_64 x86_64 Alert Count 1 First Seen 2023-06-12 15:51:23 CEST Last Seen 2023-06-12 15:51:23 CEST Local ID 1cae25af-93dd-4aef-8f73-3af28f0fe913 Raw Audit Messages type=AVC msg=audit(1686577883.687:165): avc: denied { execute } for pid=3405 comm="MainThread" path="/home/stas/.mozilla/firefox/tume5q04.default-1522558463886-1646759468485/gmp-widevinecdm/4.10.2557.0/libwidevinecdm.so" dev="0:53" ino=3541558 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1686577883.687:165): arch=x86_64 syscall=mmap success=no exit=EACCES a0=7fa810e2c000 a1=5a6000 a2=5 a3=812 items=0 ppid=2647 pid=3405 auid=20000006 uid=20000006 gid=20000006 euid=20000006 suid=20000006 fsuid=20000006 egid=20000006 sgid=20000006 fsgid=20000006 tty=(none) ses=5 comm=MainThread exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: MainThread,mozilla_plugin_t,nfs_t,file,execute <<< /home/stas is NFS share. The point is that loading the suggested module immediately helped. Here is the module: >>> geralt:~/tmp# cat my-MainThread.te module my-MainThread 1.0; require { type mozilla_plugin_t; type nfs_t; class file execute; } #============= mozilla_plugin_t ============== allow mozilla_plugin_t nfs_t:file execute; <<< Not sure if this should be the solution, in ideal world setting use_nfs_home_dirs to 1 should suffice (by the way - it IS set to 1). Version-Release number of selected component (if applicable): selinux-policy-38.1.11-2.el9_2.2.noarch selinux-policy-targeted-38.1.11-2.el9_2.2.noarch How reproducible: ALWAYS Actual results: Widevine doesn't load, cannot use DRM in Firefox. Expected results: Widevine works. Additional info: I've seen it at least since previous major RHEL version (8), but used CentOS and AlmaLinux back then. The above information comes from AlmaLinux 9.2, not RHEL.
Hi Tomasz, Do you know what is executing in that path? Can you reproduce the issue in permissive mode with full auditing enabled? Permissive mode: # setenforce 0 Full Audit: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today Thank you, Nikola
I believe this is the only relevant entry (the rest is /usr/bin/plasmashell): ---- type=PROCTITLE msg=audit(15.06.2023 19:37:06.157:2349) : proctitle=/usr/lib64/firefox/plugin-container /home/tomek/.mozilla/firefox/default/gmp-widevinecdm/4.10.2557.0 13316 gmplugin type=MMAP msg=audit(15.06.2023 19:37:06.157:2349) : fd=17 flags=MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE type=SYSCALL msg=audit(15.06.2023 19:37:06.157:2349) : arch=x86_64 syscall=mmap success=yes exit=139730748620800 a0=0x7f1599a2c000 a1=0x5a6000 a2=PROT_READ|PROT_EXEC a3=MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE items=0 ppid=13316 pid=13774 auid=tomek uid=tomek gid=tomek euid=tomek suid=tomek fsuid=tomek egid=tomek sgid=tomek fsgid=tomek tty=(none) ses=3 comm=MainThread exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(15.06.2023 19:37:06.157:2349) : avc: denied { execute } for pid=13774 comm=MainThread path=/home/tomek/.mozilla/firefox/default/gmp-widevinecdm/4.10.2557.0/libwidevinecdm.so dev="0:55" ino=4607770 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1 ----
PR: https://github.com/fedora-selinux/selinux-policy/pull/1809