My plex is set to delete files but when I try to remove I receive the error bellow.
It works on deb and docker version
What path of the files youâre trying to delete?
Video files and music files
I mean the exact path these files are residing.
Oh, OK.
home/user/media/music/
home/user/media/videos/
Please run the ls --format=long ~/media command in a terminal to acquire the ownership info of the media directory.
drwxrwxr-x 253 mediaserver mediaserver 16384 Oct 16 04:12 videos
drwxrwxr-x 56 mediaserver mediaserver 4096 Oct 16 15:19 music
Did anyone end up finding a solution to this? I have my files owned by my user and in a âplexâ group. Iâm also unable to delete files, which is making it a hassle to clean up my server after I have watched some shows
Do you have any security denials in your logs at the time of the cleanup? Eg: sudo journalctl | grep plex | grep audit
I donât have anything that coincides with when I actually try to delete the files, but roughly every 65 minutes I see this:
Nov 13 12:46:19 serneum-media audit[7069]: AVC apparmor="DENIED" operation="open" profile="snap.plexmediaserver.plexmediaserver" name="/proc/7069/mounts" pid=7069 comm=506C65782053637269707420486F73 requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 13 12:46:20 serneum-media kernel: audit: type=1400 audit(1542131179.975:576): apparmor="DENIED" operation="open" profile="snap.plexmediaserver.plexmediaserver" name="/proc/7069/mounts" pid=7069 comm=506C65782053637269707420486F73 requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 13 12:46:21 serneum-media audit[7120]: AVC apparmor="DENIED" operation="open" profile="snap.plexmediaserver.plexmediaserver" name="/proc/7120/mounts" pid=7120 comm=506C65782053637269707420486F73 requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 13 12:46:21 serneum-media kernel: audit: type=1400 audit(1542131181.543:577): apparmor="DENIED" operation="open" profile="snap.plexmediaserver.plexmediaserver" name="/proc/7120/mounts" pid=7120 comm=506C65782053637269707420486F73 requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Here are my folder permissions as well. I use 775 and give ownership to my user and a âplexâ group
drwxrwxr-x 2 serneum plex 12288 Nov 12 16:20 Movies/
drwxrwxr-x 424 serneum plex 20480 Nov 3 19:53 Music/
drwxr-xr-x 68 serneum plex 4096 Nov 13 13:30 TV/
Those security denials should not be what causes the problem with the snap (if the snap plugged âmount-observeâ and the interface was connected, then these would go away; the snap probably doesnât need them for normal operation though and it is likely just noise).
Looking at your permissions, it is possibly an AppArmor capability denial and the kernel logging for capability denials isnât the easiest to work with. Can you reload the apparmor profile into the kernel with this command:
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.plexmediaserver.plexmediaserver
then try again to perform the delete operation and report back any new denials.
I ran that command, tried to delete a video file, and then reran the journalctl command. The output did finally coincide with when I tried to delete a file:
Nov 13 17:58:29 serneum-media audit[22945]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.plexmediaserver.plexmediaserver" pid=22945 comm="apparmor_parser" Nov 13 17:58:29 serneum-media kernel: audit: type=1400 audit(1542149909.098:593): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.plexmediaserver.plexmediaserver" pid=22945 comm="apparmor_parser" Nov 13 17:58:59 serneum-media audit[22976]: AVC apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=22976 comm=506C6578204D656469612053657276 capability=1 capname="dac_override" Nov 13 17:58:59 serneum-media kernel: audit: type=1400 audit(1542149939.079:594): apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=22976 comm=506C6578204D656469612053657276 capability=1 capname="dac_override"
Iâm not seeing anything new in the Console section in settings, and I assume those correspond with the logs that can be downloaded.
The dac_override denial is what I suspected. This will need an update to snapd and should be included in snapd 2.37.
Actually, I remembered that plex needs âread: allâ with the home interface (which is what is triggering the dac_override) but once that capability is allowed there would be a new denial that disallows the write access required to delete the files.
The original request from Home access as root from confined snaps that prompted the addition of the âreadâ attribute on the home interface mentions only the ability to âadd mediaâ and not delete arbitrary files. @tamas - can you comment?
Is that already released or is that just the version I should be keeping an eye out for? It looks like my version is 2.35.5 when I run snap --version. If I run sudo apt-get install snapd, I see an even older version: snapd is already the newest version (2.34.2+18.04)
This is the proper version as snapd re-exec the version of itself in the core snap.
It seems this fix still not available in beta. Can we still expect this on stable?
This wasnât added to 2.37 yet but should be in 2.37.1 which will, aiui, be what is pushed to stable when it is ready.
1 Like
This issue still not solved
Hi, any help with this issue?