[olug] firefox/widevine/nfs

Brian Beatty brian at 27megahertz.com
Tue Nov 30 07:43:28 CST 2021 

Hi, yes I am aware of the use_nfs_home_dirs bool, thank you.

$ getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on

This is the working configuration. I have moved ~/.mozilla from the nfs
mount to local storage at /opt/firefox.

$ pwd
/opt/firefox
$ ls -lZ .mozilla/firefox/*.ini
-rw-rw----. 1 owner owner system_u:object_r:usr_t:s0  68 Jun 29 17:45
.mozilla/firefox/installs.ini
-rw-rw----. 1 owner owner system_u:object_r:usr_t:s0 203 Jun 29 17:45
.mozilla/firefox/profiles.ini


On Tue, 2021-11-30 at 04:58 +0000, Dillon Eastman wrote:
> Hi there,
> 
> I've been in environments with RHEL in enforcing and NFS homedirs.
> Could you be looking for the use_nfs_home_dirs flag? I brushed up on it
> here:
> https://www.linder.org/2019/05/26/selinux-and-nfs-home-directories/
> 
> Thanks,
> 
> Dillon Eastman
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> 
> On Monday, November 29th, 2021 at 18:58, Rob Townley
> <rob.townley at gmail.com> wrote:
> 
> > Would you send the same ls -lZn output for the working configuration?
> > 
> 
> > I believe you can give nfs mount options that set the selinux user,
> > role,
> > 
> 
> > and type.
> > 
> 
> > On Mon, Nov 29, 2021 at 6:44 PM Brian Beatty
> > brian at 27megahertz.com wrote:
> > 
> 
> > > Good thought, I've had similar permission problems in the past. I
> > > do
> > > 
> 
> > > have an ldap setup to manage the user/groups.
> > > 
> 
> > > id owner
> > > 
> 
> > > uid=9000(owner) gid=9000(owner) groups=9000(owner)
> > > 
> 
> > > ls -lnZ .mozilla/firefox/*.ini
> > > 
> 
> > > -rw-rw----. 1 9000 9000 system_u:object_r:nfs_t:s0 68 Jun 29 17:45
> > > 
> 
> > > .mozilla/firefox/installs.ini
> > > 
> 
> > > -rw-rw----. 1 9000 9000 system_u:object_r:nfs_t:s0 203 Jun 29 17:45
> > > 
> 
> > > .mozilla/firefox/profiles.ini
> > > 
> 
> > > On Mon, 2021-11-29 at 17:33 -0600, Rob Townley wrote:
> > > 
> 
> > > > interesting :)
> > > > 
> 
> > > > selinux might be decoy from another problem. Maybe restorecon
> > > > does not
> > > > 
> 
> > > > have access to the file because the user names are the same but
> > > > user
> > > > 
> 
> > > > ids
> > > > 
> 
> > > > are different. ls -n lists the files with numeric uid instead of
> > > > the
> > > > 
> 
> > > > name.
> > > > 
> 
> > > > id owner # returns uid and gid *
> > > > 
> 
> > > > ls -lZn /home/owner/.mozilla/firefox/.ini
> > > > 
> 
> > > > On Mon, Nov 29, 2021 at 4:35 PM Brian Beatty
> > > > brian at 27megahertz.com
> > > > 
> 
> > > > wrote:
> > > > 
> 
> > > > > Hello,
> > > > > 
> 
> > > > > I am having an issue with Firefox/Widevine/Netflix that I can't
> > > > > seem
> > > > > 
> 
> > > > > to
> > > > > 
> 
> > > > > resolve and I'm looking for your potential insights and
> > > > > guidance on
> > > > > 
> 
> > > > > the
> > > > > 
> 
> > > > > matter.
> > > > > 
> 
> > > > > In my home network, I have multiple linux workstations that
> > > > > utilize
> > > > > 
> 
> > > > > an
> > > > > 
> 
> > > > > nfs server for their /home mount. I also have a media center
> > > > > computer
> > > > > 
> 
> > > > > which does not use the nfs server for its /home mount. The
> > > > > media
> > > > > 
> 
> > > > > center
> > > > > 
> 
> > > > > pc uses an internal ssd for its /home mount.
> > > > > 
> 
> > > > > Netflix on the media center pc has worked flawlessly for ages.
> > > > > 
> 
> > > > > Recently, I tried to use Netflix on one of my workstations via
> > > > > 
> 
> > > > > Firefox
> > > > > 
> 
> > > > > and found it to not be working at all.
> > > > > 
> 
> > > > > When I run /usr/bin/firefox from a pc that uses the nfs server
> > > > > for
> > > > > 
> 
> > > > > /home I get errors like:
> > > > > 
> 
> > > > > /usr/bin/firefox
> > > > > 
> 
> > > > > restorecon: Could not set context for
> > > > > 
> 
> > > > > /home/owner/.mozilla/firefox/installs.ini: Operation not
> > > > > supported
> > > > > 
> 
> > > > > restorecon: Could not set context for
> > > > > 
> 
> > > > > /home/owner/.mozilla/firefox/profiles.ini: Operation not
> > > > > supported
> > > > > 
> 
> > > > > Now I am no expert but when I look at the security context for
> > > > > the
> > > > > 
> 
> > > > > files in question everything looks ok to me:
> > > > > 
> 
> > > > > ls -lZ /home/owner/.mozilla/firefox/*.ini
> > > > > 
> 
> > > > > -rw-rw----. 1 owner owner system_u:object_r:nfs_t:s0 68 Jun 29
> > > > > 17:45
> > > > > 
> 
> > > > > /home/owner/.mozilla/firefox/installs.ini
> > > > > 
> 
> > > > > -rw-rw----. 1 owner owner system_u:object_r:nfs_t:s0 203 Jun 29
> > > > > 17:45
> > > > > 
> 
> > > > > /home/owner/.mozilla/firefox/profiles.ini
> > > > > 
> 
> > > > > If I move the ~/.mozilla directory to storage that is local to
> > > > > the
> > > > > 
> 
> > > > > computer and then create a symlink, the selinux errors go away
> > > > > and
> > > > > 
> 
> > > > > the
> > > > > 
> 
> > > > > Widevine software installs successfully. If I then run Firefox
> > > > > and go
> > > > > 
> 
> > > > > to Netflix, everything works as expected. Then, if I move the
> > > > > 
> 
> > > > > .mozilla
> > > > > 
> 
> > > > > directory back to its original location at ~/.mozilla and
> > > > > attempt to
> > > > > 
> 
> > > > > use Firefox and Netflix the Widevine plugin crashes.
> > > > > 
> 
> > > > > I've spent way to much time on this and am unable to get
> > > > > firefox with
> > > > > 
> 
> > > > > the Widevine software working when the Firefox profile is on an
> > > > > nfs
> > > > > 
> 
> > > > > share.
> > > > > 
> 
> > > > > Any thoughts are appreciated.
> > > > > 
> 
> > > > > Thank you,
> > > > > 
> 
> > > > > Brian
> > > > > 
> 
> > > > > OLUG mailing list
> > > > > 
> 
> > > > > OLUG at olug.org
> > > > > 
> 
> > > > > https://www.olug.org/mailman/listinfo/olug
> > > > 
> 
> > > > OLUG mailing list
> > > > 
> 
> > > > OLUG at olug.org
> > > > 
> 
> > > > https://www.olug.org/mailman/listinfo/olug
> > 
> 
> > OLUG mailing list
> > 
> 
> > OLUG at olug.org
> > 
> 
> > https://www.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list