[olug] firefox/widevine/nfs
Rob Townley
rob.townley at gmail.com
Tue Nov 30 15:54:18 CST 2021
Glad you got it working, but wondering if after the plug-in is launched, if
it will it be confined at all? Hopefully after transition from user
launch to execution, it is governed by another set of mandatory rules.
I am pretty sure that plug-in was updated very recently.
There is a also the nfs context=“” flags that could be passed as Mount
options. In theory, nfs home would be mounted with the same context as
when it is locally with
nfs context=“system_u:object_r:usr_t:s0”
I need to start using nfs home directories to test that.
On Tue, Nov 30, 2021 at 2:21 PM Brian Beatty <brian at 27megahertz.com> wrote:
> Well, I found that by setting the sebool
> unconfined_mozilla_plugin_transition to 0 I am now able to use the
> widevine plugin when it is on an nfs mount. So I guess problem solved?
> But then again maybe not, I am not sure that I want to commit to
> remembering that I need to now set two se bools when utilizing an nfs
> server. Seems like I am missing something here.
>
> $ getsebool use_nfs_home_dirs unconfined_mozilla_plugin_transition
> use_nfs_home_dirs --> on
> unconfined_mozilla_plugin_transition --> off
>
> On Tue, 2021-11-30 at 07:43 -0600, Brian Beatty wrote:
> > Hi, yes I am aware of the use_nfs_home_dirs bool, thank you.
> >
> > $ getsebool use_nfs_home_dirs
> > use_nfs_home_dirs --> on
> >
> > This is the working configuration. I have moved ~/.mozilla from the nfs
> > mount to local storage at /opt/firefox.
> >
> > $ pwd
> > /opt/firefox
> > $ ls -lZ .mozilla/firefox/*.ini
> > -rw-rw----. 1 owner owner system_u:object_r:usr_t:s0 68 Jun 29 17:45
> > .mozilla/firefox/installs.ini
> > -rw-rw----. 1 owner owner system_u:object_r:usr_t:s0 203 Jun 29 17:45
> > .mozilla/firefox/profiles.ini
> >
> >
> > On Tue, 2021-11-30 at 04:58 +0000, Dillon Eastman wrote:
> > > Hi there,
> > >
> > > I've been in environments with RHEL in enforcing and NFS homedirs.
> > > Could you be looking for the use_nfs_home_dirs flag? I brushed up on
> > > it
> > > here:
> > > https://www.linder.org/2019/05/26/selinux-and-nfs-home-directories/
> > >
> > > Thanks,
> > >
> > > Dillon Eastman
> > >
> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > >
> > > On Monday, November 29th, 2021 at 18:58, Rob Townley
> > > <rob.townley at gmail.com> wrote:
> > >
> > > > Would you send the same ls -lZn output for the working
> > > > configuration?
> > > >
> > >
> > > > I believe you can give nfs mount options that set the selinux user,
> > > > role,
> > > >
> > >
> > > > and type.
> > > >
> > >
> > > > On Mon, Nov 29, 2021 at 6:44 PM Brian Beatty
> > > > brian at 27megahertz.com wrote:
> > > >
> > >
> > > > > Good thought, I've had similar permission problems in the past. I
> > > > > do
> > > > >
> > >
> > > > > have an ldap setup to manage the user/groups.
> > > > >
> > >
> > > > > id owner
> > > > >
> > >
> > > > > uid=9000(owner) gid=9000(owner) groups=9000(owner)
> > > > >
> > >
> > > > > ls -lnZ .mozilla/firefox/*.ini
> > > > >
> > >
> > > > > -rw-rw----. 1 9000 9000 system_u:object_r:nfs_t:s0 68 Jun 29
> > > > > 17:45
> > > > >
> > >
> > > > > .mozilla/firefox/installs.ini
> > > > >
> > >
> > > > > -rw-rw----. 1 9000 9000 system_u:object_r:nfs_t:s0 203 Jun 29
> > > > > 17:45
> > > > >
> > >
> > > > > .mozilla/firefox/profiles.ini
> > > > >
> > >
> > > > > On Mon, 2021-11-29 at 17:33 -0600, Rob Townley wrote:
> > > > >
> > >
> > > > > > interesting :)
> > > > > >
> > >
> > > > > > selinux might be decoy from another problem. Maybe restorecon
> > > > > > does not
> > > > > >
> > >
> > > > > > have access to the file because the user names are the same but
> > > > > > user
> > > > > >
> > >
> > > > > > ids
> > > > > >
> > >
> > > > > > are different. ls -n lists the files with numeric uid instead
> > > > > > of
> > > > > > the
> > > > > >
> > >
> > > > > > name.
> > > > > >
> > >
> > > > > > id owner # returns uid and gid *
> > > > > >
> > >
> > > > > > ls -lZn /home/owner/.mozilla/firefox/.ini
> > > > > >
> > >
> > > > > > On Mon, Nov 29, 2021 at 4:35 PM Brian Beatty
> > > > > > brian at 27megahertz.com
> > > > > >
> > >
> > > > > > wrote:
> > > > > >
> > >
> > > > > > > Hello,
> > > > > > >
> > >
> > > > > > > I am having an issue with Firefox/Widevine/Netflix that I
> > > > > > > can't
> > > > > > > seem
> > > > > > >
> > >
> > > > > > > to
> > > > > > >
> > >
> > > > > > > resolve and I'm looking for your potential insights and
> > > > > > > guidance on
> > > > > > >
> > >
> > > > > > > the
> > > > > > >
> > >
> > > > > > > matter.
> > > > > > >
> > >
> > > > > > > In my home network, I have multiple linux workstations that
> > > > > > > utilize
> > > > > > >
> > >
> > > > > > > an
> > > > > > >
> > >
> > > > > > > nfs server for their /home mount. I also have a media center
> > > > > > > computer
> > > > > > >
> > >
> > > > > > > which does not use the nfs server for its /home mount. The
> > > > > > > media
> > > > > > >
> > >
> > > > > > > center
> > > > > > >
> > >
> > > > > > > pc uses an internal ssd for its /home mount.
> > > > > > >
> > >
> > > > > > > Netflix on the media center pc has worked flawlessly for
> > > > > > > ages.
> > > > > > >
> > >
> > > > > > > Recently, I tried to use Netflix on one of my workstations
> > > > > > > via
> > > > > > >
> > >
> > > > > > > Firefox
> > > > > > >
> > >
> > > > > > > and found it to not be working at all.
> > > > > > >
> > >
> > > > > > > When I run /usr/bin/firefox from a pc that uses the nfs
> > > > > > > server
> > > > > > > for
> > > > > > >
> > >
> > > > > > > /home I get errors like:
> > > > > > >
> > >
> > > > > > > /usr/bin/firefox
> > > > > > >
> > >
> > > > > > > restorecon: Could not set context for
> > > > > > >
> > >
> > > > > > > /home/owner/.mozilla/firefox/installs.ini: Operation not
> > > > > > > supported
> > > > > > >
> > >
> > > > > > > restorecon: Could not set context for
> > > > > > >
> > >
> > > > > > > /home/owner/.mozilla/firefox/profiles.ini: Operation not
> > > > > > > supported
> > > > > > >
> > >
> > > > > > > Now I am no expert but when I look at the security context
> > > > > > > for
> > > > > > > the
> > > > > > >
> > >
> > > > > > > files in question everything looks ok to me:
> > > > > > >
> > >
> > > > > > > ls -lZ /home/owner/.mozilla/firefox/*.ini
> > > > > > >
> > >
> > > > > > > -rw-rw----. 1 owner owner system_u:object_r:nfs_t:s0 68 Jun
> > > > > > > 29
> > > > > > > 17:45
> > > > > > >
> > >
> > > > > > > /home/owner/.mozilla/firefox/installs.ini
> > > > > > >
> > >
> > > > > > > -rw-rw----. 1 owner owner system_u:object_r:nfs_t:s0 203 Jun
> > > > > > > 29
> > > > > > > 17:45
> > > > > > >
> > >
> > > > > > > /home/owner/.mozilla/firefox/profiles.ini
> > > > > > >
> > >
> > > > > > > If I move the ~/.mozilla directory to storage that is local
> > > > > > > to
> > > > > > > the
> > > > > > >
> > >
> > > > > > > computer and then create a symlink, the selinux errors go
> > > > > > > away
> > > > > > > and
> > > > > > >
> > >
> > > > > > > the
> > > > > > >
> > >
> > > > > > > Widevine software installs successfully. If I then run
> > > > > > > Firefox
> > > > > > > and go
> > > > > > >
> > >
> > > > > > > to Netflix, everything works as expected. Then, if I move the
> > > > > > >
> > >
> > > > > > > .mozilla
> > > > > > >
> > >
> > > > > > > directory back to its original location at ~/.mozilla and
> > > > > > > attempt to
> > > > > > >
> > >
> > > > > > > use Firefox and Netflix the Widevine plugin crashes.
> > > > > > >
> > >
> > > > > > > I've spent way to much time on this and am unable to get
> > > > > > > firefox with
> > > > > > >
> > >
> > > > > > > the Widevine software working when the Firefox profile is on
> > > > > > > an
> > > > > > > nfs
> > > > > > >
> > >
> > > > > > > share.
> > > > > > >
> > >
> > > > > > > Any thoughts are appreciated.
> > > > > > >
> > >
> > > > > > > Thank you,
> > > > > > >
> > >
> > > > > > > Brian
> > > > > > >
> > >
> > > > > > > OLUG mailing list
> > > > > > >
> > >
> > > > > > > OLUG at olug.org
> > > > > > >
> > >
> > > > > > > https://www.olug.org/mailman/listinfo/olug
> > > > > >
> > >
> > > > > > OLUG mailing list
> > > > > >
> > >
> > > > > > OLUG at olug.org
> > > > > >
> > >
> > > > > > https://www.olug.org/mailman/listinfo/olug
> > > >
> > >
> > > > OLUG mailing list
> > > >
> > >
> > > > OLUG at olug.org
> > > >
> > >
> > > > https://www.olug.org/mailman/listinfo/olug
> >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://www.olug.org/mailman/listinfo/olug
>
>
More information about the OLUG
mailing list