SELinux: cannot confine Firefox process to mozilla_t domain

Solution 1:

You nearly had it. The problem is that the allow rule

allow unconfined_t mozilla_t : process transition ;

allows the transition to take place, but doesn't cause it to happen. For that you need a type_transition rule:

type_transition unconfined_t mozilla_exec_t : process mozilla_t;

This causes the transition to occur when an unconfined_t process executes a mozilla_exec_t file.

With that done, firefox won't run. I used audit2allow to track down the additional rules needed to allow firefox to manage temp files and sockets.

Here is a policy that works on my CentOS 6-based VM. It needs the selinux boolean mozilla_read_content enabled (via: setsebool -P mozilla_read_content 1).

module mozilla 1.0;

require {
  role unconfined_r;
  type unconfined_t;
  type mozilla_t;
  type mozilla_exec_t;
  type tmp_t;
  type user_tmp_t;
  type fs_t;
  class process transition;
  class file { ioctl getattr setattr create read write unlink open relabelto };
  class dir { ioctl getattr setattr create read write unlink add_name remove_name };
  class filesystem getattr;
  class sock_file { getattr setattr create read write unlink };
  class unix_stream_socket connectto;
}

role unconfined_r types mozilla_t;

allow unconfined_t self:file relabelto;
allow unconfined_t mozilla_t : process transition ; 

type_transition unconfined_t mozilla_exec_t : process mozilla_t;

allow mozilla_t fs_t:filesystem getattr;
allow mozilla_t tmp_t:file { ioctl getattr setattr create write unlink open };
allow mozilla_t tmp_t:dir  { ioctl getattr setattr create read write add_name remove_name };
allow mozilla_t user_tmp_t:dir { ioctl create write add_name setattr remove_name };
allow mozilla_t user_tmp_t:sock_file { getattr setattr create read write unlink };
allow mozilla_t unconfined_t:unix_stream_socket connectto;  

To compile and install it:

# checkmodule -M -m -o mozilla.mod mozilla.te
checkmodule: loading policy configuration from rekado.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 10) to mozilla.mod
# semodule_package -o mozilla.pp -m mozilla.mod
# sudo semodule -i mozilla.pp