May 31, 2021, 11:36am
Can not be! I just read old stuff (2015) about unconfirmed firefox process, that sould be assigned to mozilla_t. Basic targeted policy on fresh custom (server+i3) installation.
$ ps -axZ | grep firefox
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1031 ? Sl 2:18 /usr/lib64/firefox/firefox
The binary in “/usr/bin/firefox” just lanucher that starts “/usr/lib64/firefox/firefox”.
$ sudo semodule -l | grep mozilla
Module is enabled and filesystem is relabeld just now. It’s interesting that the executable file still has the type:
$ ls /usr/lib64/firefox/firefox -laZ
-rwxr-xr-x. 1 root root system_u:object_r:mozilla_exec_t:s0 601400 May 10 19:27 /usr/lib64/firefox/firefox
The internet says the targeted policy provides rules for the firefox browser, do I need to configure it manually, or am I missing something ( rpm’s
) during installation?
All other stuff provided by targeted policy works fine: correct types on processes/files.
June 8, 2021, 11:35am
As I understand it, it isn’t really possible to create rules that allows everything everyone actually wants to legitimatlly do with Firefox, but still keeping any protection. This
old bugzilla is probably still valid when it comes to the reasoning.
Checking what the policy actually says these days, there is a rule that would
allow the transition
mimmi$ sudo sesearch -A -t mozilla_t -p transition
allow unconfined_t domain:process transition;
allow xguest_t mozilla_t:process transition;
but no rule to say the transition should be done from
mimmi$ sudo sesearch -T -t mozilla_exec_t
type_transition staff_dbusd_t mozilla_exec_t:process staff_t;
type_transition sysadm_dbusd_t mozilla_exec_t:process sysadm_t;
type_transition unconfined_dbusd_t mozilla_exec_t:process unconfined_t;
type_transition user_dbusd_t mozilla_exec_t:process user_t;
type_transition xguest_dbusd_t mozilla_exec_t:process xguest_t;