Bug 469106
Summary: | SELinux denial with KDE's "leave" (kdemenu) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sandro Mathys <red> |
Component: | kdebase | Assignee: | Than Ngo <than> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, jkubin, jreznik, kevin, lorenzo, ltinkl, mgrepl, rdieter, than, tuxbrewr |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-10-30 18:18:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sandro Mathys
2008-10-29 21:42:27 UTC
I'm unable to reproduce this Have you modified your system in any way? 3rd party software/drivers, or modified kdm's configuration? I added the Livna/RPM Fusion Repos and installed some pkgs from there, yes. But nothing for kdm, kde or grub. No drivers. Nothing modified except for what I stated above (Additional Information).$ Is there an easy way to see what packages I installed from those repos? If that information is important to this problem. > Is there an easy way to see what packages I installed from those repos?
rpm -qa --qf "%{name} %{vendir}" | grep "RPM Fusion"
rpm -qa --qf "%{name} %{vendor}" | grep rpm.livna.org"
> Is there an easy way to see what packages I installed from those repos?
rpm -qa --qf "%{name} %{vendor}" | grep "RPM Fusion"
rpm -qa --qf "%{name} %{vendor}" | grep rpm.livna.org"
I know kdm used to try to modify the grub entry by executing grubby but that was supposedly turned off. Fwiw, it was never turned on... we explored the possibility of enabling it... (but that idea was NACK'd due to security concerns) $ rpm -qa --qf "%{name} %{vendor}\n" | grep -v "Fedora Project" adobe-release-i386 Adobe Systems Inc. rpmfusion-free-release RPM Fusion gpg-pubkey (none) rootfiles Red Hat, Inc. rpmfusion-nonfree-release RPM Fusion htmlview Koji flash-plugin Adobe Systems Inc. gpg-pubkey (none) livna-release rpm.livna.org --- I'm not sure if that's related or if I should file that as a new bug: If I start the "Login Manager" from the "System Settings" I'm asked for the root pwd by "KDE su". After I provide that, the application is starting. When I then click "OK" (doesn't matter if I made some changes and "Apply" doesn't change anything, either) KDE su brings up a dialog "Command '/usr/bin/kcmshell4 kdm --lang en_US' not found." (the command I initially gave the password for). Sandro, to check for sure what Dan is talking about, look for BootManager= in /etc/kde/kdm/kdmrc it should say BootManager=None changing to BootManager=Grub will yield selinux denials and is unsupported. The "lang... not found" error is known and already reported, $ cat /etc/kde/kdm/kdmrc | grep BootManager BootManager=Grub --- I changed that manually to "None" and logged out / in again -> denial has gone. That's btw the thing that I mentioned in my initial post: "Additional info: In the 'Login Manager' (started from the 'System Settings') on tab 'Shutdown (5)', I manually set 'Boot manager' to 'Grub' previously." Changing the value there from 'None' to 'Grub' does the change in the kdmrc that produced this problem. If you really want to be able to use that option, you have to either turn off SELinux or customize it (maybe try audit2allow) to allow this. It is turned off for security reasons and the SELinux policy maintainers decided against enabling it (and there's nothing which can be done in KDE to avoid this, it is the very action you're trying to perform which is blocked by design). |