firefox problems with: browser_confine_unconfined --> on

[Christoph A.]

Hi,

I'm looking forward do confine users (firefox, thunderbird). I played
with xguest_u and I liked the behavior of firefox (home not writeable
except ~/Downloads, ~/.mozilla), but I need other programms
(thunderbird, ssh) to connect to the internet too, so I wanted to try
the usual unconfined_u with browser_confine_unconfined set.

I didn't find mutch about this boolean but I wanted to see, if with this
boolean set, firefox of an unconfined user will behave like firefox of
xguest_u.

After setting the boolean firefox runs in its own domain
(unconfined_mozilla_t) that looks fine.

When I tried to save a picture to see if I can write to ~/ (not
~/Download) firefox hangs (immediately after klicking on "Save Image
As...") and I had to use kill to terminate it.

observing the audit.log file with tail -f shows:

type=USER_AVC msg=audit(1210554417.821:80): user pid=1648 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.93
spid=1783 tpid=3412 scontext=system_u:system_r:hald_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_mozilla_t:s0 tclass=dbus :
exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

If I set browser_confine_unconfined to 0 this problem doesn't occur.

Should firefox (unconfined_mozilla_t) behave like firefox of xguest_u,
or is this boolean for something different?

thanks,
Christoph A.
PS: I'm using FC9.