What's the right way to `runcon -t mozilla_t`?

What is the right way to launch firefox from an unconfined user using runcon?

I tried runcon -u staff_u -r staff_r -t mozilla_t /usr/lib64/firefox/firefox, but I get transition denial with default policy or even after writing my own selinux module to allow transition.

It seems that the policy is there by default and it should be a straightforward runcon something to launch firefox in its proper SELinux context. Please help.

Maybe it’s not mofilla_t. Confined users launch firefox as staff_t. I tried runcon -t staff_t. That also gets denied.