Firefox AVC when enabling non-permissive mode (Arch)

[spease]

Getting the following error with firefox that kills it, safe mode and non-safe-mode.

time->Mon Dec 16 09:15:43 2024
type=PROCTITLE msg=audit(1734369343.641:2608): proctitle="/usr/lib/firefox/firefox"
type=SYSCALL msg=audit(1734369343.641:2608): arch=c000003e syscall=56 success=yes exit=101852 a0=10000011 a1=0 a2=0 a3=0 items=0 ppid=2055 pid=101850 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=2 comm="firefox" exe="/usr/lib/firefox/firefox" subj=system_u:system_r:kernel_t key=(null)
type=AVC msg=audit(1734369343.641:2608): avc:  denied  { create } for  pid=101850 comm="firefox" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=user_namespace permissive=1
----
time->Mon Dec 16 09:15:43 2024
type=PROCTITLE msg=audit(1734369343.711:2609): proctitle="/usr/lib/firefox/firefox"
type=SYSCALL msg=audit(1734369343.711:2609): arch=c000003e syscall=9 success=yes exit=30504631468032 a0=1bbe69b90000 a1=10000 a2=5 a3=32 items=0 ppid=2055 pid=101850 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=2 comm="firefox" exe="/usr/lib/firefox/firefox" subj=system_u:system_r:kernel_t key=(null)
type=AVC msg=audit(1734369343.711:2609): avc:  denied  { execmem } for  pid=101850 comm="firefox" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=process permissive=1

Binary seems to be correctly labeled:

.rwxr-xr-x 862k root system_u:object_r:mozilla_exec_t 11 Dec 03:21 /usr/lib/firefox/firefox

This is very early in my SELinux journey, so it's also possible something on my system is misconfigured. Happy to read more about SELinux if I haven't provided enough information.

[freedom1b2830]

look at

scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:kernel_t

Does this mean that the process is launched from the kernel label?
Does this mean that the label of the firefox process should be the kernel label?

First, change the labels of the files.

restorecon -RF -T0 /

reboot

restorecon -RF -T0 /

reboot

Then try again and write what happens next.

[freedom1b2830]

The transition between domains should have been like this:

system_u:system_r:kernel_t -> system_u:system_r:systemd_t -> system_u:system_r:local_login_t -> user_u:user_r:user_t -(by exec mozilla_exec_t)> user_u:user_r:firefox_t

And your situation is like this:

system_u:system_r:kernel_t -(by exec mozilla_exec_t)> system_u:system_r:kernel_t

This is due to incorrect labels on files (if you did not change the policy)

[spease]

Thanks for your detailed reply. I did attempt to restore the context of the files, but after a couple runs I encountered not just the same issue with firefox, but also alacritty got nuked as well.

I think the issue right now is that the default-looking package for Arch Linux hasn't actually been updated since 2023, and the one that is being updated as recently as 2024-12-15 isn't working (at least on my system). I've opened comments on the relevant wiki page (https://wiki.archlinux.org/title/SELinux) and the packages themselves (https://aur.archlinux.org/packages/selinux-refpolicy-arch) (https://aur.archlinux.org/packages/selinux-refpolicy-git).

Are there any additional resources to self-help that you'd recommend?

[fishilico]

I think the issue right now is that the default-looking package for Arch Linux hasn't actually been updated since 2023, and the one that is being updated as recently as 2024-12-15 isn't working (at least on my system).

For information, the "default-looking package for Arch Linux" had some custom patches related to systemd, which were all upstreamed through the years. Nowadays, it mainly bundles official refpolicy releases with Arch Linux-specific build config (archlinuxhardened/selinux-policy-arch@015826e) and GitHub Actions test matrix (archlinuxhardened/selinux-policy-arch@764fad1).

Arch Linux package selinux-refpolicy-git should work out of the box (after enabling this policy in /etc/selinux/config, as indicated by a message displayed at install time: https://github.com/archlinuxhardened/selinux/blob/88a374443facbbaca850f37b4e9aa79693e2fe06/selinux-refpolicy-git/selinux-refpolicy-git.install#L3-L13), and I actually verified it built fine two weeks ago, before going on holidays. The built package is currently available on https://github.com/archlinuxhardened/selinux/releases/tag/ArchLinux-SELinux (selinux-refpolicy-git-RELEASE_2_20240916.r88.g63f0c51fc-1-any.pkg.tar.zst) and was built from commit 63f0c51 .

FWIW, I will be back from holidays on Monday January, 6th, and plan to spend some time to update the SELinux-relevant packages in Arch User Repository.

[freedom1b2830]

I'll try to reproduce the full installation in a virtual machine with xfce4 DE.

[freedom1b2830]

1.package selinux-refpolicy-git cannot be used due to an error (see https://aur.archlinux.org/packages/selinux-refpolicy-git#comment-1004198)
2.when starting firefox, I get a critical error associated with the execution of firefox utility programs that have the lib_t label

pacman -Ql firefox|grep -E "gl|cras"
both:
? mozilla_t lib_t:file execute_no_trans;

firefox /usr/lib/firefox/crashreporter
firefox /usr/lib/firefox/glxtest