Firefox and SELinux
Update: it seems that updating the confined version of Firefox doesn't work. To work around this, temporarily disable SELinux before updating. Once the update process finished, you'll need to reset the file contexts on the files by running the command "restorecon -F -R -v ~/firefox-strict". Without doing this, Firefox will run unconfined after the update!
This guide has been written to help people out there creating a safe Firefox installation which is only allowed to browse through Tor. This means no other network traffic (eg. DNS requests, direct HTTP or FTP requests) is permitted to be sent from the process preventing any kind of data leakage possible by abusing the process (eg. memory leaks, buffer overflows, bugs in the code etc). This greatly increases the protection of your anonymity as it prevents all attempts to send your real IP address and other sensitive data to 3rd parties (like in the case of the recent FH attack where IP and MAC addresses and hostnames have been sent to a clearnet server).
Note that if you dedicated your system to the risky or illegal activities you do (eg. you use a VM inside your normal system or have a dual-boot setup), a better way to defend yourself is to simply block all outbound connections using a firewall and then configure your system to use the SOCKS proxy of Tor to connect to HTTP hosts on the internet. Otherwise, if you share your system between different activities and use a RHEL-based Linux distribution, you may follow this guide to make your browsing sessions more secure.
First of all, SELinux is a pretty hard-to-understand thing, so I won't go into technical details too much. Basically, think about SELinux as an additional security layer on top of the usual POSIX rights set on files, directories and other filesystem objects. POSIX rights are provided to grant read/write/execute/browse privileges for the owner user, the owner group and "everybody else" which means anyone having a user account on the system. SELinux extends this security scheme by creating application domains which are strictly separated from each other, applications from different domains cannot access each other's resources. All processes run in their confined security contexts (domains) which ensures they only have access to resources they really need access to.
To strengthen the security of the browser, I created a policy package for firefox which permits only connections to the SOCKS proxy of Tor. The steps below describe how to install and use the package: