There is no default policy?

Can not be! I just read old stuff (2015) about unconfirmed firefox process, that sould be assigned to mozilla_t. Basic targeted policy on fresh custom (server+i3) installation.

    $ ps -axZ | grep firefox
    unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1031 ? Sl   2:18 /usr/lib64/firefox/firefox

The binary in “/usr/bin/firefox” just lanucher that starts “/usr/lib64/firefox/firefox”.

    $ sudo semodule -l | grep mozilla

Module is enabled and filesystem is relabeld just now. It’s interesting that the executable file still has the type:

    $ ls /usr/lib64/firefox/firefox -laZ
    -rwxr-xr-x. 1 root root system_u:object_r:mozilla_exec_t:s0 601400 May 10 19:27 /usr/lib64/firefox/firefox

The internet says the targeted policy provides rules for the firefox browser, do I need to configure it manually, or am I missing something ( rpm’s :smiley: ) during installation?

All other stuff provided by targeted policy works fine: correct types on processes/files.

As I understand it, it isn’t really possible to create rules that allows everything everyone actually wants to legitimatlly do with Firefox, but still keeping any protection. This old bugzilla is probably still valid when it comes to the reasoning.

Checking what the policy actually says these days, there is a rule that would allow the transition

mimmi$ sudo sesearch -A -t mozilla_t -p transition
allow unconfined_t domain:process transition;
allow xguest_t mozilla_t:process transition;

but no rule to say the transition should be done from unconfined_t

mimmi$ sudo sesearch -T -t mozilla_exec_t
type_transition staff_dbusd_t mozilla_exec_t:process staff_t;
type_transition sysadm_dbusd_t mozilla_exec_t:process sysadm_t;
type_transition unconfined_dbusd_t mozilla_exec_t:process unconfined_t;
type_transition user_dbusd_t mozilla_exec_t:process user_t;
type_transition xguest_dbusd_t mozilla_exec_t:process xguest_t;