This is ridiculous. I have selinux enable, it’s all default, whatever Fedora 40 installs. Selinux does work, I see denials if I try to violate the policy. But when I start firefox (either from /usr/bin/ wrapper script or from /usr/lib64/firefox/firefox), ps Z shows firefox processes all under unconfined_t domain. Meaning firefox is running completely unsecure.
Big problem!
Notable, some other running processes do get their domains set correctly. So, I don’t know if there’s a type transition problem with mozilla’s selinux policy shipped by Fedora, or something else. I tried to add my own selinux policy to allow type transition to mozilla_exec_t, but this didn’t change this behavior. I looked through the type transitions in selinux policy by Fedora, and I’m not seeing the problem. I did, however, see that Fedora’s selinux policy for some bizarre reason allows the opposite transition from mozilla_exec_t to unconfined_t…maybe that’s the problem, but I don’t think so.
This needs to be resolved asap because this makes all Fedora’s installs with Firefox very, very unsafe!
This is not ridiculous but intended. SELinux enforces not within the user account. There are other security means in place for that. I do not know a Linux distribution that does this by default: you can activate this manually - this is the “confined user accounts” you can find much documentation about on the Internet and also here in the selinux-confined-users category. But the reason why this is not active by default is that, despite the strong security advantages, it can break things and for many users the experience will not be acceptable. About pros and cons and needs and mitigations, see earlier topics in selinux-confined-users
Please be kind and respectful if you want other people to help you for free. There is no reason to determine others’ work as ridiculous. And please check earlier topics and public documentation about such cases. That can save time, also for you.
Can you please say, “If you add your user to confined selinux users, Firefox will launch confined to its domain”? Because people are still unclear on that “simple” step they might need to do using instructions from SELinux/ConfinedUsers - Fedora Project Wiki