[PR #3231] [MERGED] Add support for SELinux labeling #4689

New issue

Closed

opened 2026-05-05 10:24:46 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented 2026-05-05 10:24:46 -06:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3231
Author: @topimiettinen
Created: 2/18/2020
Status: ✅ Merged
Merged: 2/22/2020
Merged by: @topimiettinen

Base: master ← Head: selinux-labeling-support

---

📝 Commits (1)

• f44d3a7 Add support for SELinux labeling

📊 Changes

20 files changed (+224 additions, -17 deletions)

View changed files

📝 README (+1 -1)
📝 README.md (+1 -1)
📝 configure (+18 -0)
📝 configure.ac (+10 -0)
📝 src/common.mk.in (+2 -1)
📝 src/fcopy/main.c (+57 -0)
📝 src/firejail/firejail.h (+3 -0)
📝 src/firejail/fs_bin.c (+1 -0)
📝 src/firejail/fs_dev.c (+4 -0)
📝 src/firejail/fs_etc.c (+2 -0)
📝 src/firejail/fs_home.c (+14 -0)
📝 src/firejail/fs_hostname.c (+1 -0)
📝 src/firejail/fs_lib.c (+1 -0)
📝 src/firejail/fs_lib2.c (+1 -0)
📝 src/firejail/fs_var.c (+2 -0)
📝 src/firejail/fs_whitelist.c (+13 -0)
📝 src/firejail/pulseaudio.c (+1 -0)
📝 src/firejail/restrict_users.c (+4 -0)
📝 src/firejail/sandbox.c (+15 -14)
➕ src/firejail/selinux.c (+73 -0)

📄 Description

Running firejail --noprofile --private-bin=bash,ls ls -1Za /usr/bin
shows that the SELinux labels are not correct:

user_u:object_r:user_tmpfs_t:s0 .
     system_u:object_r:usr_t:s0 ..
user_u:object_r:user_tmpfs_t:s0 bash
user_u:object_r:user_tmpfs_t:s0 ls

After fixing this:

       system_u:object_r:bin_t:s0 .
       system_u:object_r:usr_t:s0 ..
system_u:object_r:shell_exec_t:s0 bash
       system_u:object_r:bin_t:s0 ls

Most copied files and created directories should now have correct
labels (bind mounted objects keep their labels). This is useful to
avoid having to change the SELinux rules when using Firejail.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3231 **Author:** [@topimiettinen](https://github.com/topimiettinen) **Created:** 2/18/2020 **Status:** ✅ Merged **Merged:** 2/22/2020 **Merged by:** [@topimiettinen](https://github.com/topimiettinen) **Base:** `master` ← **Head:** `selinux-labeling-support` --- ### 📝 Commits (1) - [`f44d3a7`](https://github.com/netblue30/firejail/commit/f44d3a7ff27da56ff15d8132a14dd298963530d1) Add support for SELinux labeling ### 📊 Changes **20 files changed** (+224 additions, -17 deletions) <details> <summary>View changed files</summary> 📝 `README` (+1 -1) 📝 `README.md` (+1 -1) 📝 `configure` (+18 -0) 📝 `configure.ac` (+10 -0) 📝 `src/common.mk.in` (+2 -1) 📝 `src/fcopy/main.c` (+57 -0) 📝 `src/firejail/firejail.h` (+3 -0) 📝 `src/firejail/fs_bin.c` (+1 -0) 📝 `src/firejail/fs_dev.c` (+4 -0) 📝 `src/firejail/fs_etc.c` (+2 -0) 📝 `src/firejail/fs_home.c` (+14 -0) 📝 `src/firejail/fs_hostname.c` (+1 -0) 📝 `src/firejail/fs_lib.c` (+1 -0) 📝 `src/firejail/fs_lib2.c` (+1 -0) 📝 `src/firejail/fs_var.c` (+2 -0) 📝 `src/firejail/fs_whitelist.c` (+13 -0) 📝 `src/firejail/pulseaudio.c` (+1 -0) 📝 `src/firejail/restrict_users.c` (+4 -0) 📝 `src/firejail/sandbox.c` (+15 -14) ➕ `src/firejail/selinux.c` (+73 -0) </details> ### 📄 Description Running `firejail --noprofile --private-bin=bash,ls ls -1Za /usr/bin` shows that the SELinux labels are not correct: ``` user_u:object_r:user_tmpfs_t:s0 . system_u:object_r:usr_t:s0 .. user_u:object_r:user_tmpfs_t:s0 bash user_u:object_r:user_tmpfs_t:s0 ls ``` After fixing this: ``` system_u:object_r:bin_t:s0 . system_u:object_r:usr_t:s0 .. system_u:object_r:shell_exec_t:s0 bash system_u:object_r:bin_t:s0 ls ``` Most copied files and created directories should now have correct labels (bind mounted objects keep their labels). This is useful to avoid having to change the SELinux rules when using Firejail. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

gitea-mirror 2026-05-05 10:24:46 -06:00

• closed this issue
• added the
  pull-request
  label

gitea-mirror referenced this issue 2026-05-05 10:34:32 -06:00

[PR #4690] [MERGED] Fix inconsistent descriptions of machine-id option #5226

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4689

No description provided.