SELinux: cannot confine Firefox process to mozilla_t domain

firefox fedora selinux mozilla

Solution 1:

You nearly had it. The problem is that the allow rule

allow unconfined_t mozilla_t : process transition ;

allows the transition to take place, but doesn't cause it to happen. For that you need a type_transition rule:

type_transition unconfined_t mozilla_exec_t : process mozilla_t;

This causes the transition to occur when an unconfined_t process executes a mozilla_exec_t file.

With that done, firefox won't run. I used audit2allow to track down the additional rules needed to allow firefox to manage temp files and sockets.

Here is a policy that works on my CentOS 6-based VM. It needs the selinux boolean mozilla_read_content enabled (via: setsebool -P mozilla_read_content 1).

module mozilla 1.0;

require {
  role unconfined_r;
  type unconfined_t;
  type mozilla_t;
  type mozilla_exec_t;
  type tmp_t;
  type user_tmp_t;
  type fs_t;
  class process transition;
  class file { ioctl getattr setattr create read write unlink open relabelto };
  class dir { ioctl getattr setattr create read write unlink add_name remove_name };
  class filesystem getattr;
  class sock_file { getattr setattr create read write unlink };
  class unix_stream_socket connectto;
}

role unconfined_r types mozilla_t;

allow unconfined_t self:file relabelto;
allow unconfined_t mozilla_t : process transition ; 

type_transition unconfined_t mozilla_exec_t : process mozilla_t;

allow mozilla_t fs_t:filesystem getattr;
allow mozilla_t tmp_t:file { ioctl getattr setattr create write unlink open };
allow mozilla_t tmp_t:dir  { ioctl getattr setattr create read write add_name remove_name };
allow mozilla_t user_tmp_t:dir { ioctl create write add_name setattr remove_name };
allow mozilla_t user_tmp_t:sock_file { getattr setattr create read write unlink };
allow mozilla_t unconfined_t:unix_stream_socket connectto;

To compile and install it:

# checkmodule -M -m -o mozilla.mod mozilla.te
checkmodule: loading policy configuration from rekado.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 10) to mozilla.mod
# semodule_package -o mozilla.pp -m mozilla.mod
# sudo semodule -i mozilla.pp

Related

How to get Run Puppet button working on Foreman?
How to Disable TLSv1.0 and TLSv1.1 in Nginx
start nginx despite missing upstream
Set default TTL in Varnish 4.0?
Copying over SSH via Putty tools is slower than via WinSCP
Apache shuts down unintentionally
Keeping Google Cloud Storage buckets backed up
Salt: Minion did not return but salt-call is working
HAProxy has no server available
On Linux, what is the size of pages reported by vmstat command and/or /proc/vmstat?
iSCSI target stuck reconnecting after server reboots
CentOS 7.2.1511, kickstart and user creation