* Tue Nov 08 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-224

- Allow watching netflix using Firefox

policy-rawhide-contrib.patch

@@ -52309,7 +52309,7 @@ index 6194b80..e27c53d 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4..653ba10 100644
+index 11ac8e4..9336364 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -52762,7 +52762,7 @@ index 11ac8e4..653ba10 100644
  ')
  
  optional_policy(`
-@@ -300,259 +339,254 @@ optional_policy(`
+@@ -300,259 +339,257 @@ optional_policy(`
  
  ########################################
  #
@@ -52777,6 +52777,8 @@ index 11ac8e4..653ba10 100644
 +dontaudit mozilla_plugin_t self:capability2 block_suspend;
 +dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace };
 +
++
++allow mozilla_plugin_t self:cap_userns {sys_admin sys_chroot};
 +allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
 +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 +allow mozilla_plugin_t self:netlink_socket create_socket_perms;
@@ -52836,21 +52838,23 @@ index 11ac8e4..653ba10 100644
 +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
  
  manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
- fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+-fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file dir lnk_file sock_file fifo_file })
 +userdom_manage_home_texlive(mozilla_plugin_t)
  
  allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
 +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
  
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
 -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
 +can_exec(mozilla_plugin_t, mozilla_exec_t)
  
@@ -53162,7 +53166,7 @@ index 11ac8e4..653ba10 100644
  ')
  
  optional_policy(`
-@@ -560,7 +594,11 @@ optional_policy(`
+@@ -560,7 +597,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53175,7 +53179,7 @@ index 11ac8e4..653ba10 100644
  ')
  
  optional_policy(`
-@@ -568,108 +606,144 @@ optional_policy(`
+@@ -568,108 +609,144 @@ optional_policy(`
  ')
  
  optional_policy(`

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 223%{?dist}
+Release: 224%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 08 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-224
+- Allow watching netflix using Firefox
+
 * Mon Nov 07 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-223
 - nmbd_t needs net_admin capability like smbd
 - Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids