1380253 – Netflix with Firefox DRM Plugin SELinux Policy

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1380253 - Netflix with Firefox DRM Plugin SELinux Policy

Summary: Netflix with Firefox DRM Plugin SELinux Policy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	RejectedBlocker AcceptedFreezeException
Depends On:
Blocks:	F25FinalFreezeException
TreeView+	depends on / blocked

Reported:	2016-09-29 06:31 UTC by mikey
Modified:	2016-11-19 17:24 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.13.1-191.21.fc24
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-19 17:24:05 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description mikey 2016-09-29 06:31:01 UTC

Description of problem:

The default SELinux policy prevents running Netflix with Firefox 49 and its DRM plugin. This is now (as far as I'm aware) the only option on vanilla Fedora to access such content.

Version-Release number of selected component (if applicable):

Installed Packages
Name        : firefox
Arch        : x86_64
Epoch       : 0
Version     : 49.0
Release     : 2.fc24
Size        : 133 M
Repo        : @System
From repo   : updates

Installed Packages
Name        : selinux-policy
Arch        : noarch
Epoch       : 0
Version     : 3.13.1
Release     : 191.16.fc24
Size        : 18 k
Repo        : @System
From repo   : updates



How reproducible:

Always.

Steps to Reproduce:
1. Enable DRM plugin: Preferences > Content > Play DRM content
2. Install Useragent spoofing plugin and set for Netfilx: Linux / Chrome 53: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/53.0.2785.34 Safari/537.36
3. Login to Netflix and try playing content.

Actual results:

SELinux warnings and page not loading or sometimes showing an error.


Expected results:

Playing video.

Additional info:

I first confirmed that this was an SELinux issue with the following temporarily:

sudo setenforce 0

Then after a reboot to make sure temporary SELinux settings were reset I added policies for each repored SELinux issue:


First Netflix SELinux Error

SELinux is preventing plugin-containe from sys_admin access on the cap_userns Unknown.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-containe should be allowed sys_admin access on the Unknown cap_userns by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine
# semodule -X 300 -i my-plugincontaine.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Objects                Unknown [ cap_userns ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          nixon
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.16.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     nixon
Platform                      Linux nixon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep
                              15 18:42:09 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-09-29 06:43:10 BST
Last Seen                     2016-09-29 06:43:10 BST
Local ID                      952e043d-a922-4b48-892b-16db06883516

Raw Audit Messages
type=AVC msg=audit(1475127790.214:244): avc:  denied  { sys_admin } for  pid=2764 comm="plugin-containe" capability=21  scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0


Hash: plugin-containe,mozilla_plugin_t,mozilla_plugin_t,cap_userns,sys_admin






Explain

~/s/S/Netflix xsel | audit2why
type=AVC msg=audit(1475127790.214:244): avc:  denied  { sys_admin } for  pid=2764 comm="plugin-containe" capability=21  scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

~/s/S/Netflix xsel | audit2allow -M netflix-cap_userns
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i netflix-cap_userns.pp

~/s/S/Netflix sudo semodule -i netflix-cap_userns.pp


Second Netflix SELinux Error

SELinux is preventing plugin-containe from create access on the directory mozsandbox.QegAkQ.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-containe should be allowed create access on the mozsandbox.QegAkQ directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine
# semodule -X 300 -i my-plugincontaine.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:tmpfs_t:s0
Target Objects                mozsandbox.QegAkQ [ dir ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          nixon
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.16.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     nixon
Platform                      Linux nixon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep
                              15 18:42:09 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-09-29 06:54:50 BST
Last Seen                     2016-09-29 06:54:50 BST
Local ID                      86d54337-b18d-41ab-9ec0-9fc292bafa0f

Raw Audit Messages
type=AVC msg=audit(1475128490.528:262): avc:  denied  { create } for  pid=3389 comm="plugin-containe" name="mozsandbox.QegAkQ" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=dir permissive=0


Hash: plugin-containe,mozilla_plugin_t,tmpfs_t,dir,create


Explain

~/s/S/Netflix xsel | audit2why
type=AVC msg=audit(1475128490.528:262): avc:  denied  { create } for  pid=3389 comm="plugin-containe" name="mozsandbox.QegAkQ" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

~/s/S/Netflix xsel | audit2allow -M netflix-create-mozsandbox
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i netflix-create-mozsandbox.pp

~/s/S/Netflix sudo semodule -i netflix-create-mozsandbox.pp


Third Netflix SELinux Error


SELinux is preventing plugin-containe from rmdir access on the directory mozsandbox.K0JgRG.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-containe should be allowed rmdir access on the mozsandbox.K0JgRG directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine
# semodule -X 300 -i my-plugincontaine.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:tmpfs_t:s0
Target Objects                mozsandbox.K0JgRG [ dir ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          nixon
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.16.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     nixon
Platform                      Linux nixon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep
                              15 18:42:09 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-09-29 07:06:08 BST
Last Seen                     2016-09-29 07:06:08 BST
Local ID                      4234b395-23d8-46b8-8caf-aa6acac1d4c2

Raw Audit Messages
type=AVC msg=audit(1475129168.287:313): avc:  denied  { rmdir } for  pid=4124 comm="plugin-containe" name="mozsandbox.K0JgRG" dev="tmpfs" ino=40532 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=dir permissive=0


Hash: plugin-containe,mozilla_plugin_t,tmpfs_t,dir,rmdir

Explain

~/s/S/Netflix xsel | audit2why
type=AVC msg=audit(1475129168.287:313): avc:  denied  { rmdir } for  pid=4124 comm="plugin-containe" name="mozsandbox.K0JgRG" dev="tmpfs" ino=40532 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

~/s/S/Netflix xsel | audit2allow -M netflix-remove-mozsandbox
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i netflix-remove-mozsandbox.pp

~/s/S/Netflix sudo semodule -i netflix-remove-mozsandbox.pp

Fourth Netflix SELinux Error


SELinux is preventing plugin-containe from sys_chroot access on the cap_userns Unknown.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that plugin-containe should be allowed sys_chroot access on the Unknown cap_userns by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'plugin-containe' --raw | audit2allow -M my-plugincontaine
# semodule -X 300 -i my-plugincontaine.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Objects                Unknown [ cap_userns ]
Source                        plugin-containe
Source Path                   plugin-containe
Port                          <Unknown>
Host                          nixon
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.16.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     nixon
Platform                      Linux nixon 4.7.4-200.fc24.x86_64 #1 SMP Thu Sep
                              15 18:42:09 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-09-29 07:14:00 BST
Last Seen                     2016-09-29 07:14:00 BST
Local ID                      69d3a704-a877-4fdc-a195-c6eae5bd642d

Raw Audit Messages
type=AVC msg=audit(1475129640.777:348): avc:  denied  { sys_chroot } for  pid=4567 comm="plugin-containe" capability=18  scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0


Hash: plugin-containe,mozilla_plugin_t,mozilla_plugin_t,cap_userns,sys_chroot

Explain

~/s/S/Netflix xsel | audit2why
type=AVC msg=audit(1475129640.777:348): avc:  denied  { sys_chroot } for  pid=4567 comm="plugin-containe" capability=18  scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

~/s/S/Netflix xsel | audit2allow -M netflix-chroot-cap_userns
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i netflix-chroot-cap_userns.pp

~/s/S/Netflix sudo semodule -i netflix-chroot-cap_userns.pp

Comment 1 Daniel Walsh 2016-09-29 21:41:10 UTC

Looks like firefox now has usernamespace support also, need similar changes to Chrome.

Comment 2 Chris Murphy 2016-10-23 19:35:04 UTC

This problem happens with a GNOME notification for the sealert, booted live or cleanly installed with Fedora-Workstation-Live-x86_64-25-20161017.n.0.iso which has selinux-policy-3.13.1-219.fc25.noarch.

Raw Audit Messages
type=AVC msg=audit(1477251005.677:195): avc:  denied  { sys_admin } for  pid=2000 comm="plugin-containe" capability=21  scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0

Comment 3 Fedora Blocker Bugs Application 2016-10-23 19:43:52 UTC

Proposed as a Blocker for 25-final by Fedora user chrismurphy using the blocker tracking app because:

 "All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test."

I think watching video is a pretty basic requirement for a browser, I can certainly do this on Windows and macOS, Netflix is entertainment therefore maybe not a critical thing, but I can reproduce this with various news sites also e.g. nbcnews.com requires the DRM components to be installed into FireFox but selinux is inhibiting it from working.

"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."
This criterion probably doesn't apply because the sealert notification doesn't happen on boot, during install, or at first login. It does happen after first login *if* the user launches Firefox and goes to such a DRM requiring site. But I don't think that's what's meant by this criterion.

Comment 4 Chris Murphy 2016-10-23 19:48:52 UTC

Works fine with google-chrome-stable-54.0.2840.59-1.x86_64 without modifications, so that's a possible work around. But I still think this violates the basic functionality criterion since the default browser can't do this out of the box.

Comment 5 Geoffrey Marr 2016-10-24 18:06:51 UTC

Discussed during the 2016-10-24 blocker review meeting: [1]

The decision to classify this bug as a RejectedBlocker and AcceptedFreezeException was made as this does not meet the “Basic Functionality” criteria, but is a common-use-case that would be good to fix.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-10-24/f25-blocker-review.2016-10-24-16.01.txt

Comment 6 Lukas Vrabec 2016-11-08 10:04:22 UTC

Issue fixed on Rawhide, F25, F24

Comment 7 Fedora Update System 2016-11-09 16:31:20 UTC

selinux-policy-3.13.1-191.21.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-abb3ede5d5

Comment 8 Fedora Update System 2016-11-11 05:01:06 UTC

selinux-policy-3.13.1-191.21.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-abb3ede5d5

Comment 9 Fedora Update System 2016-11-19 17:24:05 UTC

selinux-policy-3.13.1-191.21.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.