diff --git a/container-selinux.tgz b/container-selinux.tgz index cafd41f..7a78fdf 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b4f8d8f..811c8b8 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -52309,7 +52309,7 @@ index 6194b80..e27c53d 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..653ba10 100644 +index 11ac8e4..9336364 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -52762,7 +52762,7 @@ index 11ac8e4..653ba10 100644 ') optional_policy(` -@@ -300,259 +339,254 @@ optional_policy(` +@@ -300,259 +339,257 @@ optional_policy(` ######################################## # @@ -52777,6 +52777,8 @@ index 11ac8e4..653ba10 100644 +dontaudit mozilla_plugin_t self:capability2 block_suspend; +dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace }; + ++ ++allow mozilla_plugin_t self:cap_userns {sys_admin sys_chroot}; +allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow mozilla_plugin_t self:netlink_socket create_socket_perms; @@ -52836,21 +52838,23 @@ index 11ac8e4..653ba10 100644 +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) ++manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) - fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) +-fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) ++fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file dir lnk_file sock_file fifo_file }) +userdom_manage_home_texlive(mozilla_plugin_t) allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -53162,7 +53166,7 @@ index 11ac8e4..653ba10 100644 ') optional_policy(` -@@ -560,7 +594,11 @@ optional_policy(` +@@ -560,7 +597,11 @@ optional_policy(` ') optional_policy(` @@ -53175,7 +53179,7 @@ index 11ac8e4..653ba10 100644 ') optional_policy(` -@@ -568,108 +606,144 @@ optional_policy(` +@@ -568,108 +609,144 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 09d7df1..872bf61 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 223%{?dist} +Release: 224%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,9 @@ exit 0 %endif %changelog +* Tue Nov 08 2016 Lukas Vrabec - 3.13.1-224 +- Allow watching netflix using Firefox + * Mon Nov 07 2016 Lukas Vrabec - 3.13.1-223 - nmbd_t needs net_admin capability like smbd - Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids