Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1380253
Summary: | Netflix with Firefox DRM Plugin SELinux Policy | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | mikey <abc.mikey> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | bugzilla, dominick.grift, dwalsh, email, gmarr, lvrabec, mgrepl, plautrba, pszyszkowski, robatino |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | RejectedBlocker AcceptedFreezeException | ||
Fixed In Version: | selinux-policy-3.13.1-191.21.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-19 17:24:05 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1277290 |
Description
mikey
2016-09-29 06:31:01 UTC
Looks like firefox now has usernamespace support also, need similar changes to Chrome. This problem happens with a GNOME notification for the sealert, booted live or cleanly installed with Fedora-Workstation-Live-x86_64-25-20161017.n.0.iso which has selinux-policy-3.13.1-219.fc25.noarch. Raw Audit Messages type=AVC msg=audit(1477251005.677:195): avc: denied { sys_admin } for pid=2000 comm="plugin-containe" capability=21 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 Proposed as a Blocker for 25-final by Fedora user chrismurphy using the blocker tracking app because: "All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test." I think watching video is a pretty basic requirement for a browser, I can certainly do this on Windows and macOS, Netflix is entertainment therefore maybe not a critical thing, but I can reproduce this with various news sites also e.g. nbcnews.com requires the DRM components to be installed into FireFox but selinux is inhibiting it from working. "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." This criterion probably doesn't apply because the sealert notification doesn't happen on boot, during install, or at first login. It does happen after first login *if* the user launches Firefox and goes to such a DRM requiring site. But I don't think that's what's meant by this criterion. Works fine with google-chrome-stable-54.0.2840.59-1.x86_64 without modifications, so that's a possible work around. But I still think this violates the basic functionality criterion since the default browser can't do this out of the box. Discussed during the 2016-10-24 blocker review meeting: [1] The decision to classify this bug as a RejectedBlocker and AcceptedFreezeException was made as this does not meet the “Basic Functionality” criteria, but is a common-use-case that would be good to fix. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-10-24/f25-blocker-review.2016-10-24-16.01.txt Issue fixed on Rawhide, F25, F24 selinux-policy-3.13.1-191.21.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-abb3ede5d5 selinux-policy-3.13.1-191.21.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-abb3ede5d5 selinux-policy-3.13.1-191.21.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |