On Fedora Workstation how can i make my browser to be covered by Selinux and to be confined? Currently all browsers by default are set to unconfined_t. Is there any easy way to do it?
Should i do it? Is it a good idea?
This is the case as most software is not confined. There is the ConfinedUsers SIG however.
Probably more what you’re looking for Secureblue as Trivalent is confined there.
It’s not easy at all to write a good Selinux policy and needs time and practice, especially for complicated apps like browsers.
Also Fedora’s Selinux policy is not optimized for confinement of GUI applications. As an example Wayland, X11, Pulseaudio and Pipewire sockets all have the same label, so you either would need to give access to all of them or none. Changing this would require a lot of rewrites. Upstream refpolicy has a patch waiting to be merged for a Wayland policy, but it might take a long time until it lands in Fedora’s policy.
Using Apparmor would be much easier, but it can’t be used with Selinux on the same OS.
That’s mainly about making Selinux users (e.g. user_u or staff_u) usable on Fedora, not so much about confining GUI applications.