Deault selinux policy doesn't work with firejail?

I got selinux confined users working, as in being able to login as staff_u and do sudo from it.

I tried launching firejail firefox, but that instantaneously crapped out.

1. it is requiring me to run firejail from sudo (can run firejail without sudo without confined users). Ok, I run it as sudo firejail just to test, it proceeds, but then errors out:
2. Firejail cannot find DBus user socket. Ok, I feed it to the firejail, it still cannot find it.

So basically Firefox cannot be launched with firejail by default right now?

I also have a question…if I launch Firefox (without firejail), its context shows staff_u:staff_r:staff_t. But I thought the default behavior should be for the process to transition from staff_t to mozilla_exec_t? Please help.

Can you please post any AVC denials and the dbus socket error message here?

If you want staff_t to transition, you might try: sesearch -A -s staff_t -c process -p transition

Ref. https://linux.die.net/man/8/staff_selinux

Or man staff_selinux if you have selinux-policy-doc installed.

It looks like these are the default allowed transitions for mozilla from staff_t:

allow staff_t mozilla_plugin_config_t:process transition;
allow staff_t mozilla_plugin_t:process { noatsecure sigchld sigkill signal signull sigstop transition };

You might also ask firejail upstream about this?