What's the right way to `runcon -t mozilla_t`?

soconfused · April 10, 2025, 5:02pm

What is the right way to launch firefox from an unconfined user using runcon?

I tried runcon -u staff_u -r staff_r -t mozilla_t /usr/lib64/firefox/firefox, but I get transition denial with default policy or even after writing my own selinux module to allow transition.

It seems that the policy is there by default and it should be a straightforward runcon something to launch firefox in its proper SELinux context. Please help.

soconfused · April 10, 2025, 7:02pm

Maybe it’s not mofilla_t. Confined users launch firefox as staff_t. I tried runcon -t staff_t. That also gets denied.

Topic		Replies	Views
Is it normal firefox runs under staff_t context? Ask Fedora selinux , selinux-confined-users	9	88	April 11, 2025
Deault selinux policy doesn't work with firejail? Ask Fedora selinux , selinux-confined-users	1	51	April 9, 2025
Major SELinux failure. Firefox starts as unconfined_t with SELinux ON Ask Fedora firefox , selinux	2	151	April 8, 2025
There is no default policy? Ask Fedora f34 , firefox , selinux	1	540	June 8, 2021
Problems when using SELinux confined user accounts with staff_u on Fedora Ask Fedora selinux , selinux-confined-users	9	571	August 4, 2024

What's the right way to `runcon -t mozilla_t`?

Related topics