dpb
April 7, 2019, 12:22am
1
Hi Folks –
I’ve been trying to switch over to the Plex Snap, and I’m running into a problem. I put my media in /media/plex/...
and I wanted to hook up my DVR (through plex) to record shows in that directory structure. But, I get an access denied message in Plex when each show tries to record. I looked through the journal and found these at the time of the recording starting:
Apr 06 18:00:00 helo audit[1096]: AVC apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=1096 comm=506C6578204D656469612053657276 capability=1 capname="dac_override"
Apr 06 18:00:00 helo kernel: audit: type=1400 audit(1554595200.553:861): apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=1096 comm=506C6578204D656469612053657276 capability=1 capname="dac_override"
Any ideas?
Thanks!
ogra
April 8, 2019, 12:27pm
2
did you connect the removable-media interface of the snap ?
(see snap interfaces
and the snap connect
command)
snap connections plexmediaserver
ftw
Can confirm this is still an issue. I replicated it by adding my media to a folder owned by dani:dani (plex runs as root in the snap) and chose to optimize a media file from plex’s library view. It refuses to do so with the plex log stating:
May 05, 2022 16:26:02.536 [0x7f85a270eb38] ERROR - Error creating directory "/mnt/zpool/media/movies/Crush (2022)/Plex Versions/Optimized for TV": Permission denied
May 05, 2022 16:26:02.536 [0x7f85a270eb38] ERROR - TranscodeJobManager: [Running] directory is not writable: "/mnt/zpool/media/movies/Crush (2022)/Plex Versions/Optimized for TV"
and dmesg reporting:
[ 2783.357682] audit: type=1400 audit(1651767962.532:1586): apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=4037 comm=504D5320425051204576656E7473 capability=1 capname="dac_override"
recreating the scenario with mkdir:
$ sudo snap run --shell plexmediaserver
# mkdir -p "/mnt/zpool/media/movies/Crush (2022)/Plex Versions/Optimized for TV"
mkdir: cannot create directory '/mnt/zpool/media/movies/Crush (2022)/Plex Versions': Permission denied
This reports the following dmesg error almost identical to the one generated for plex directly:
[ 3612.360541] audit: type=1400 audit(1651768791.521:2078): apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=1360914 comm="mkdir" capability=1 capname="dac_override"
Filesystem permissions:
$ ls -ld /mnt/zpool/media/movies \
/mnt/zpool/media/movies/Crush\ \(2022\); \
ls -l /mnt/zpool/media/movies/Crush\ \(2022\)
drwxr-xr-x 821 dani dani 821 May 5 15:59 /mnt/zpool/media/movies
drwxr-xr-x 2 dani dani 3 May 5 16:31 '/mnt/zpool/media/movies/Crush (2022)'
total 3911830
-rw-rw-r-- 1 dani dani 4009647526 Apr 29 04:20 'Crush (2022).mkv'
Plex definitely runs as root:
$ ps aux |grep plexmediaserver
root 3139 0.0 0.0 19772 3116 ? Ss 15:40 0:00 /bin/bash /snap/plexmediaserver/276/wrapper.sh
root 4036 0.0 0.0 19772 2240 ? S 15:40 0:00 /bin/bash /snap/plexmediaserver/276/wrapper.sh
root 5466 0.2 0.0 63224 43152 ? SNl 15:40 0:10 Plex Plug-in [com.plexapp.system] /snap/plexmediaserver/276/Resources/Plug-ins-8cf78dab3/Framework.bundle/Contents/Resources/Versions/2/Python/bootstrap.py --server-version 1.26.0.5715-8cf78dab3 /snap/plexmediaserver/276/Resources/Plug-ins-8cf78dab3/System.bundle
root 5853 0.0 0.0 40204 12016 ? Sl 15:40 0:03 /snap/plexmediaserver/276/Plex Tuner Service /snap/plexmediaserver/276/Resources/Tuner/Private /snap/plexmediaserver/276/Resources/Tuner/Shared 1.26.0.5715-8cf78dab3 32600
root 1160376 0.1 0.0 54340 34160 ? Sl 16:19 0:02 Plex Plug-in [tv.plex.agents.movie] /snap/plexmediaserver/276/Resources/Plug-ins-8cf78dab3/Framework.bundle/Contents/Resources/Versions/2/Python/bootstrap.py --server-version 1.26.0.5715-8cf78dab3 /snap/plexmediaserver/276/Resources/Plug-ins-8cf78dab3/PlexMovieNew.bundle
As I’m using ZFS for my filesystem ACLs are supported. So I’ve worked around this issue with the following recursive ACL on my media folders:
# file: .
# owner: dani
# group: dani
user::rwx
user:root:rwx
user:dani:rwx
group::r-x
group:root:rwx
group:dani:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:dani:rwx
default:group::r-x
default:group:root:rwx
default:group:dani:rwx
default:mask::rwx
default:other::r-x