Plex Snap - Cannot write files

Hi Folks –

I’ve been trying to switch over to the Plex Snap, and I’m running into a problem. I put my media in /media/plex/... and I wanted to hook up my DVR (through plex) to record shows in that directory structure. But, I get an access denied message in Plex when each show tries to record. I looked through the journal and found these at the time of the recording starting:

Apr 06 18:00:00 helo audit[1096]: AVC apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=1096 comm=506C6578204D656469612053657276 capability=1  capname="dac_override"
Apr 06 18:00:00 helo kernel: audit: type=1400 audit(1554595200.553:861): apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=1096 comm=506C6578204D656469612053657276 capability=1  capname="dac_override"

Any ideas?

Thanks!

did you connect the removable-media interface of the snap ?

(see snap interfaces and the snap connect command)

snap connections plexmediaserver ftw

Can confirm this is still an issue. I replicated it by adding my media to a folder owned by dani:dani (plex runs as root in the snap) and chose to optimize a media file from plex’s library view. It refuses to do so with the plex log stating:

May 05, 2022 16:26:02.536 [0x7f85a270eb38] ERROR - Error creating directory "/mnt/zpool/media/movies/Crush (2022)/Plex Versions/Optimized for TV": Permission denied
May 05, 2022 16:26:02.536 [0x7f85a270eb38] ERROR - TranscodeJobManager: [Running] directory is not writable: "/mnt/zpool/media/movies/Crush (2022)/Plex Versions/Optimized for TV"

and dmesg reporting:

[ 2783.357682] audit: type=1400 audit(1651767962.532:1586): apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=4037 comm=504D5320425051204576656E7473 capability=1  capname="dac_override"

recreating the scenario with mkdir:

$ sudo snap run --shell plexmediaserver
# mkdir -p "/mnt/zpool/media/movies/Crush (2022)/Plex Versions/Optimized for TV"
mkdir: cannot create directory '/mnt/zpool/media/movies/Crush (2022)/Plex Versions': Permission denied

This reports the following dmesg error almost identical to the one generated for plex directly:

[ 3612.360541] audit: type=1400 audit(1651768791.521:2078): apparmor="DENIED" operation="capable" profile="snap.plexmediaserver.plexmediaserver" pid=1360914 comm="mkdir" capability=1  capname="dac_override"

Filesystem permissions:

$ ls -ld /mnt/zpool/media/movies \
         /mnt/zpool/media/movies/Crush\ \(2022\); \
  ls -l /mnt/zpool/media/movies/Crush\ \(2022\)
drwxr-xr-x 821 dani dani 821 May  5 15:59  /mnt/zpool/media/movies
drwxr-xr-x   2 dani dani   3 May  5 16:31 '/mnt/zpool/media/movies/Crush (2022)'
total 3911830
-rw-rw-r-- 1 dani dani 4009647526 Apr 29 04:20 'Crush (2022).mkv'

Plex definitely runs as root:

$ ps aux |grep plexmediaserver
root        3139  0.0  0.0  19772  3116 ?        Ss   15:40   0:00 /bin/bash /snap/plexmediaserver/276/wrapper.sh
root        4036  0.0  0.0  19772  2240 ?        S    15:40   0:00 /bin/bash /snap/plexmediaserver/276/wrapper.sh
root        5466  0.2  0.0  63224 43152 ?        SNl  15:40   0:10 Plex Plug-in [com.plexapp.system] /snap/plexmediaserver/276/Resources/Plug-ins-8cf78dab3/Framework.bundle/Contents/Resources/Versions/2/Python/bootstrap.py --server-version 1.26.0.5715-8cf78dab3 /snap/plexmediaserver/276/Resources/Plug-ins-8cf78dab3/System.bundle
root        5853  0.0  0.0  40204 12016 ?        Sl   15:40   0:03 /snap/plexmediaserver/276/Plex Tuner Service /snap/plexmediaserver/276/Resources/Tuner/Private /snap/plexmediaserver/276/Resources/Tuner/Shared 1.26.0.5715-8cf78dab3 32600
root     1160376  0.1  0.0  54340 34160 ?        Sl   16:19   0:02 Plex Plug-in [tv.plex.agents.movie] /snap/plexmediaserver/276/Resources/Plug-ins-8cf78dab3/Framework.bundle/Contents/Resources/Versions/2/Python/bootstrap.py --server-version 1.26.0.5715-8cf78dab3 /snap/plexmediaserver/276/Resources/Plug-ins-8cf78dab3/PlexMovieNew.bundle

As I’m using ZFS for my filesystem ACLs are supported. So I’ve worked around this issue with the following recursive ACL on my media folders:

# file: .
# owner: dani
# group: dani
user::rwx
user:root:rwx
user:dani:rwx
group::r-x
group:root:rwx
group:dani:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:dani:rwx
default:group::r-x
default:group:root:rwx
default:group:dani:rwx
default:mask::rwx
default:other::r-x