Build a firejail rpm and install it.

build-firejail-rpm.sh

#!/bin/bash

# Copyright © 2020,2021 rusty-snake
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

set -eo pipefail

NAME=firejail
VERSION=$(./configure -V | head -n1 | cut -d" " -f3)
COMMIT=$(git rev-parse --short HEAD)

set +e
installed_release=$(rpm -q --qf="%{RELEASE}" $NAME)
if [ $? -ne 0 ]; then
	RELEASE=1
else
	RELEASE=$(($(grep -oE "^[[:digit:]]+" <<<"$installed_release") + 1))
fi
installed_version=$(rpm -q --qf="%{VERSION}" $NAME)
if [ $? -ne 0 ] && [ "$installed_version" != "$VERSION" ]; then
	RELEASE=1
fi
set -e

# NOTE: mktemp uses $TMPDIR and /tmp as fallback.
TOPDIR=$(mktemp -dt $NAME-build.XXXXXX)
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir)
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir)
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir)
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir)
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir)

mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"
# shellcheck disable=SC2064
trap "rm -rf '$TOPDIR'" EXIT

cat <<EOF > "$SPECDIR/$NAME.spec"
Name:           $NAME
Version:        $VERSION
Release:        $RELEASE.git$COMMIT%{?dist}
Summary:        Linux namespaces sandbox program

License:        GPLv2+
URL:            https://github.com/netblue30/firejail
Source0:        %{name}.tar.gz

Recommends:     xdg-dbus-proxy
BuildRequires:  libselinux-devel
BuildRequires:  vim-filesystem
BuildRequires:  gcc

%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.


%prep
%autosetup -c


%build
%configure \
	--enable-selinux \
	--enable-force-nonewprivs \
	--disable-chroot \
	--disable-file-transfer \
	--disable-firetunnel \
	--disable-network \
	--disable-output \
	--disable-overlayfs \
	--disable-private-home \
	--disable-x11
%make_build
echo "Appending the following to firejail.config for hardening ..."
cat << _EOF_ | tee -a etc/firejail.config

#############
# Hardening #
#############

# Disable bind features
bind no

# Disable cgroup features
cgroup no

# Disable chroot features
chroot no

# Disable dbus features
#dbus no

# Force disable-mnt
#disable-mnt yes

# Disable file transfer support
file-transfer no

# Force nonewprivs
force-nonewprivs yes

# Disable join support
#join no

# Disable network features
network no

# Disable overlayfs features
overlayfs no

# Disable private-bin feature
#private-bin no

# Disable private-cache feature
#private-cache no

# Disable private-etc feature
#private-etc no

# Disable private-home feature
#private-home no

# Enable or disable private-lib feature
#private-lib no

# Disable private-opt feature
#private-opt no

# Disable private-srv feature
#private-srv no

# Resrict network features to root only
restricted-network yes

# Deny seccomp
#seccomp no

# Deny noroot
#userns no

# Disable whitelist top level directories
#whitelist-disable-topdir /foo

# Deny x11
x11 no
_EOF_


%install
make install-strip DESTDIR=\$RPM_BUILD_ROOT


%post
firecfg.py || echo "WARNING: firecfg.py failed!"


%preun
if [[ "\$1" == "0" ]]; then
	#firecfg.py --clean
	rm -r /etc/firecfg.py/overrides
fi
exit 0


%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/ids.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_bindir}/jailcheck
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_datadir}/zsh/site-functions/_firejail
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man1/jailcheck.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{vimfiles_root}/ftdetect/firejail.vim
%{vimfiles_root}/syntax/firejail.vim
%license COPYING
EOF

tar --exclude-vcs-ignore --exclude="./.git" --create --gzip --file "$SOURCEDIR/$NAME.tar.gz" .

rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/$NAME.spec
#rpmbuild --nodebuginfo --define "_topdir $TOPDIR" -bb "$SPECDIR"/$NAME.spec

# shellcheck disable=SC1083
RPM="$NAME-$VERSION-$RELEASE.git$COMMIT$(rpm -E %{?dist}).$(rpm -E %_arch).rpm"

mv "$RPMDIR/$(rpm -E %_arch)/$RPM" .

mpv --msg-level=all=fatal /usr/share/sounds/freedesktop/stereo/complete.oga

sudo dnf install "$RPM"

rm "$RPM"