Bug 1994096

Summary: RFE: add patch to set grub boot_success flag on shutdown/reboot
Product: Red Hat Enterprise Linux 8 Reporter: Michael Boisvert <mboisver>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Khushbu Borole <kborole>
Priority: high    
Version: 8.5CC: hdegoede, lvrabec, mjahoda, mmalik, modehnal, rstrode, ssekidde, tpelka
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-79.el8 Doc Type: Bug Fix
Doc Text:
.SELinux policy did not allow GDM to set the GRUB `boot_success` flag Previously, SELinux policy did not allow the GNOME Display Manager (GDM) to set the GRUB `boot_success` flag during the power-off and reboot operations. Consequently, the GRUB menu appeared on the next boot. With this update, the SELinux policy introduces a new `xdm_exec_bootloader` boolean that allows the GDM to set the GRUB `boot_success` flag, and which is enabled by default. As a result, the GRUB boot menu is shown on the first boot and the flicker-free boot support feature works correctly.
 Story Points: ---
Clone Of: 1914925 Environment:
Last Closed: 2021-11-09 19:43:59 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1914925    
Bug Blocks:    

Comment 1 Ray Strode [halfline] 2021-08-16 18:05:32 UTC 
looks like we need to pull in:

https://github.com/fedora-selinux/selinux-policy/commit/43a040b61451c4bc7f0cfc0132843621f0359b52

(see the fedora bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1750112 )
Comment 4 Zdenek Pytela 2021-08-23 13:56:13 UTC 
I suppose this commit can safely be backported:

commit 43a040b61451c4bc7f0cfc0132843621f0359b52
Author: Nikola Knazekova <nknazeko>
Date:   Tue Sep 10 18:47:52 2019 +0200

    Introduce xdm_manage_bootloader booelan

It moves some permissions to the boolean block, but the boolean is on by default.

+gen_tunable(xdm_manage_bootloader,true)
...
-fs_manage_dos_files(xdm_t)
...
+tunable_policy(`xdm_manage_bootloader',`
+    fs_manage_dos_files(xdm_t)
+    files_manage_boot_files(xdm_t)
Comment 13 errata-xmlrpc 2021-11-09 19:43:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420