I can’t give you a complete answer, but understand that SElinux isn’t specific to Jetsons. In fact, most of the earlier L4T releases do not enable SElinux, so the topic does not often come up. Probably Waveshare flash software is what enabled it. Anything you search for on the web regarding SElinux in Ubuntu is likely valid on a Jetson (although enabling something via GRUB might be wrong).
Some of this won’t even care which Linux distribution it is, e.g., sometimes RedHat information applies even in Ubuntu. Mostly it is in packages that this varies.
You might find this useful in general:
https://www.linode.com/docs/guides/how-to-install-selinux-on-ubuntu-22-04/
If the filesystem does not have the labels, then SElinux won’t work. Once it has the labels, then access can be set to a mode which merely complains, but does not enforce (useful for debugging, this is “permissive”, versus “enforcing”). Waveshare probably enabled this unless you’ve customized. The concept is that there are certain accounts which are expected to do certain things, and others which are not normally expected to operate on those files. Thus, let’s say you have user “httpd” or “apache” as your web administrator. Certainly “root” normally has file access, but it would seem unusual. If there were some stack overflow attack which gains root authority within the web server, and tries to change permissions of a web server file, then SElinux would deny this because root is not expected to change those files. This is a label system for the filesystem, combined with policies of who is considered legitimately accessing.
There are lots of default rules, but if some circumstance was not encountered and expected, then you might have to tweak that (but this can get complicated; usually a set of copy and paste rules is the easiest way to deal with this).
Take a look at the docs. Maybe install the setools-gui to get a good view, and sometimes it might tell you the command to add a rule to permit this. You might set to permissive while working on it. I suspect that normally firefox is run by a regular user, and it is the snap installation which SElinux is suspicious of; I expect rules to allow firefox from a regular user, but snap is not a regular user.
Important: Any time you know of a command to add a rule for your case, make sure you document it in a bash script so you can repeat it (maybe a package update will cause the issue again).