[olug] firefox/widevine/nfs

Brian Beatty brian at 27megahertz.com
Tue Nov 30 14:21:53 CST 2021 

Well, I found that by setting the sebool
unconfined_mozilla_plugin_transition to 0 I am now able to use the
widevine plugin when it is on an nfs mount. So I guess problem solved?
But then again maybe not, I am not sure that I want to commit to
remembering that I need to now set two se bools when utilizing an nfs
server. Seems like I am missing something here.

$ getsebool use_nfs_home_dirs unconfined_mozilla_plugin_transition
use_nfs_home_dirs --> on
unconfined_mozilla_plugin_transition --> off

On Tue, 2021-11-30 at 07:43 -0600, Brian Beatty wrote:
> Hi, yes I am aware of the use_nfs_home_dirs bool, thank you.
> 
> $ getsebool use_nfs_home_dirs
> use_nfs_home_dirs --> on
> 
> This is the working configuration. I have moved ~/.mozilla from the nfs
> mount to local storage at /opt/firefox.
> 
> $ pwd
> /opt/firefox
> $ ls -lZ .mozilla/firefox/*.ini
> -rw-rw----. 1 owner owner system_u:object_r:usr_t:s0  68 Jun 29 17:45
> .mozilla/firefox/installs.ini
> -rw-rw----. 1 owner owner system_u:object_r:usr_t:s0 203 Jun 29 17:45
> .mozilla/firefox/profiles.ini
> 
> 
> On Tue, 2021-11-30 at 04:58 +0000, Dillon Eastman wrote:
> > Hi there,
> > 
> > I've been in environments with RHEL in enforcing and NFS homedirs.
> > Could you be looking for the use_nfs_home_dirs flag? I brushed up on
> > it
> > here:
> > https://www.linder.org/2019/05/26/selinux-and-nfs-home-directories/
> > 
> > Thanks,
> > 
> > Dillon Eastman
> > 
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > 
> > On Monday, November 29th, 2021 at 18:58, Rob Townley
> > <rob.townley at gmail.com> wrote:
> > 
> > > Would you send the same ls -lZn output for the working
> > > configuration?
> > > 
> > 
> > > I believe you can give nfs mount options that set the selinux user,
> > > role,
> > > 
> > 
> > > and type.
> > > 
> > 
> > > On Mon, Nov 29, 2021 at 6:44 PM Brian Beatty
> > > brian at 27megahertz.com wrote:
> > > 
> > 
> > > > Good thought, I've had similar permission problems in the past. I
> > > > do
> > > > 
> > 
> > > > have an ldap setup to manage the user/groups.
> > > > 
> > 
> > > > id owner
> > > > 
> > 
> > > > uid=9000(owner) gid=9000(owner) groups=9000(owner)
> > > > 
> > 
> > > > ls -lnZ .mozilla/firefox/*.ini
> > > > 
> > 
> > > > -rw-rw----. 1 9000 9000 system_u:object_r:nfs_t:s0 68 Jun 29
> > > > 17:45
> > > > 
> > 
> > > > .mozilla/firefox/installs.ini
> > > > 
> > 
> > > > -rw-rw----. 1 9000 9000 system_u:object_r:nfs_t:s0 203 Jun 29
> > > > 17:45
> > > > 
> > 
> > > > .mozilla/firefox/profiles.ini
> > > > 
> > 
> > > > On Mon, 2021-11-29 at 17:33 -0600, Rob Townley wrote:
> > > > 
> > 
> > > > > interesting :)
> > > > > 
> > 
> > > > > selinux might be decoy from another problem. Maybe restorecon
> > > > > does not
> > > > > 
> > 
> > > > > have access to the file because the user names are the same but
> > > > > user
> > > > > 
> > 
> > > > > ids
> > > > > 
> > 
> > > > > are different. ls -n lists the files with numeric uid instead
> > > > > of
> > > > > the
> > > > > 
> > 
> > > > > name.
> > > > > 
> > 
> > > > > id owner # returns uid and gid *
> > > > > 
> > 
> > > > > ls -lZn /home/owner/.mozilla/firefox/.ini
> > > > > 
> > 
> > > > > On Mon, Nov 29, 2021 at 4:35 PM Brian Beatty
> > > > > brian at 27megahertz.com
> > > > > 
> > 
> > > > > wrote:
> > > > > 
> > 
> > > > > > Hello,
> > > > > > 
> > 
> > > > > > I am having an issue with Firefox/Widevine/Netflix that I
> > > > > > can't
> > > > > > seem
> > > > > > 
> > 
> > > > > > to
> > > > > > 
> > 
> > > > > > resolve and I'm looking for your potential insights and
> > > > > > guidance on
> > > > > > 
> > 
> > > > > > the
> > > > > > 
> > 
> > > > > > matter.
> > > > > > 
> > 
> > > > > > In my home network, I have multiple linux workstations that
> > > > > > utilize
> > > > > > 
> > 
> > > > > > an
> > > > > > 
> > 
> > > > > > nfs server for their /home mount. I also have a media center
> > > > > > computer
> > > > > > 
> > 
> > > > > > which does not use the nfs server for its /home mount. The
> > > > > > media
> > > > > > 
> > 
> > > > > > center
> > > > > > 
> > 
> > > > > > pc uses an internal ssd for its /home mount.
> > > > > > 
> > 
> > > > > > Netflix on the media center pc has worked flawlessly for
> > > > > > ages.
> > > > > > 
> > 
> > > > > > Recently, I tried to use Netflix on one of my workstations
> > > > > > via
> > > > > > 
> > 
> > > > > > Firefox
> > > > > > 
> > 
> > > > > > and found it to not be working at all.
> > > > > > 
> > 
> > > > > > When I run /usr/bin/firefox from a pc that uses the nfs
> > > > > > server
> > > > > > for
> > > > > > 
> > 
> > > > > > /home I get errors like:
> > > > > > 
> > 
> > > > > > /usr/bin/firefox
> > > > > > 
> > 
> > > > > > restorecon: Could not set context for
> > > > > > 
> > 
> > > > > > /home/owner/.mozilla/firefox/installs.ini: Operation not
> > > > > > supported
> > > > > > 
> > 
> > > > > > restorecon: Could not set context for
> > > > > > 
> > 
> > > > > > /home/owner/.mozilla/firefox/profiles.ini: Operation not
> > > > > > supported
> > > > > > 
> > 
> > > > > > Now I am no expert but when I look at the security context
> > > > > > for
> > > > > > the
> > > > > > 
> > 
> > > > > > files in question everything looks ok to me:
> > > > > > 
> > 
> > > > > > ls -lZ /home/owner/.mozilla/firefox/*.ini
> > > > > > 
> > 
> > > > > > -rw-rw----. 1 owner owner system_u:object_r:nfs_t:s0 68 Jun
> > > > > > 29
> > > > > > 17:45
> > > > > > 
> > 
> > > > > > /home/owner/.mozilla/firefox/installs.ini
> > > > > > 
> > 
> > > > > > -rw-rw----. 1 owner owner system_u:object_r:nfs_t:s0 203 Jun
> > > > > > 29
> > > > > > 17:45
> > > > > > 
> > 
> > > > > > /home/owner/.mozilla/firefox/profiles.ini
> > > > > > 
> > 
> > > > > > If I move the ~/.mozilla directory to storage that is local
> > > > > > to
> > > > > > the
> > > > > > 
> > 
> > > > > > computer and then create a symlink, the selinux errors go
> > > > > > away
> > > > > > and
> > > > > > 
> > 
> > > > > > the
> > > > > > 
> > 
> > > > > > Widevine software installs successfully. If I then run
> > > > > > Firefox
> > > > > > and go
> > > > > > 
> > 
> > > > > > to Netflix, everything works as expected. Then, if I move the
> > > > > > 
> > 
> > > > > > .mozilla
> > > > > > 
> > 
> > > > > > directory back to its original location at ~/.mozilla and
> > > > > > attempt to
> > > > > > 
> > 
> > > > > > use Firefox and Netflix the Widevine plugin crashes.
> > > > > > 
> > 
> > > > > > I've spent way to much time on this and am unable to get
> > > > > > firefox with
> > > > > > 
> > 
> > > > > > the Widevine software working when the Firefox profile is on
> > > > > > an
> > > > > > nfs
> > > > > > 
> > 
> > > > > > share.
> > > > > > 
> > 
> > > > > > Any thoughts are appreciated.
> > > > > > 
> > 
> > > > > > Thank you,
> > > > > > 
> > 
> > > > > > Brian
> > > > > > 
> > 
> > > > > > OLUG mailing list
> > > > > > 
> > 
> > > > > > OLUG at olug.org
> > > > > > 
> > 
> > > > > > https://www.olug.org/mailman/listinfo/olug
> > > > > 
> > 
> > > > > OLUG mailing list
> > > > > 
> > 
> > > > > OLUG at olug.org
> > > > > 
> > 
> > > > > https://www.olug.org/mailman/listinfo/olug
> > > 
> > 
> > > OLUG mailing list
> > > 
> > 
> > > OLUG at olug.org
> > > 
> > 
> > > https://www.olug.org/mailman/listinfo/olug
> 
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list