Bug 873957

Summary: SELinux is preventing /usr/bin/kdm from 'read' accesses on the file /boot/grub2/grub.cfg.
Product: [Fedora] Fedora Reporter: Neil <hispeed.bz>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:63cbce8cc3fff688af4fe709dd77c5b962a6337bd20380c9ca5b66e6c602c383
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-07 09:46:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Neil 2012-11-07 05:25:46 UTC 
Description of problem:
Happens when you configure KDM to allow boot into other OSes

Additional info:
libreport version: 2.0.18
kernel:         3.6.5-1.fc17.x86_64

description:
:SELinux is preventing /usr/bin/kdm from 'read' accesses on the file /boot/grub2/grub.cfg.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that kdm should be allowed read access on the grub.cfg file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep kdm /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:boot_t:s0
:Target Objects                /boot/grub2/grub.cfg [ file ]
:Source                        kdm
:Source Path                   /usr/bin/kdm
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           kdm-4.9.2-3.fc17.x86_64
:Target RPM Packages           grub2-2.0-0.38.beta6.fc17.x86_64
:Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.5-1.fc17.x86_64 #1 SMP Wed Oct
:                              31 19:37:18 UTC 2012 x86_64 x86_64
:Alert Count                   8
:First Seen                    2012-11-06 00:54:03 EST
:Last Seen                     2012-11-07 00:20:30 EST
:Local ID                      62d0b30b-45bf-4a21-bf47-8caea8bc22bb
:
:Raw Audit Messages
:type=AVC msg=audit(1352265630.46:74): avc:  denied  { read } for  pid=924 comm="kdm" name="grub.cfg" dev="sda6" ino=420046 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:boot_t:s0 tclass=file
:
:
:type=AVC msg=audit(1352265630.46:74): avc:  denied  { open } for  pid=924 comm="kdm" path="/boot/grub2/grub.cfg" dev="sda6" ino=420046 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:boot_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1352265630.46:74): arch=x86_64 syscall=open success=yes exit=ENOMEM a0=41f7ae a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=kdm exe=/usr/bin/kdm subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
:
:Hash: kdm,xdm_t,boot_t,file,read
:
:audit2allow
:
:#============= xdm_t ==============
:#!!!! This avc can be allowed using the boolean 'xdm_exec_bootloader'
:
:allow xdm_t boot_t:file { read open };
:
:audit2allow -R
:
:#============= xdm_t ==============
:#!!!! This avc can be allowed using the boolean 'xdm_exec_bootloader'
:
:allow xdm_t boot_t:file { read open };
:
Comment 1 Neil 2012-11-07 05:25:52 UTC 
Created attachment 639818 [details]
File: type
Comment 2 Neil 2012-11-07 05:25:53 UTC 
Created attachment 639819 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-11-07 09:46:50 UTC 
You will need to turn on the 'xdm_exec_bootloader' boolean using

# setsebool -P xdm_exec_bootloader 1
Comment 4 Neil 2012-11-07 14:02:38 UTC 
Should that not be the default for Fedora installations since this is an oft used function?
Comment 5 Daniel Walsh 2012-11-07 15:55:03 UTC 
No we do not want a login program to manage the boot configuration on the machine, by default.

I actually believe that this is a bad design by kdm, and is a potential security problem.
Comment 6 Daniel Walsh 2012-11-07 15:56:30 UTC 
Remember there is nothing that even requires you to have a login on the machine, if a bug happens in a X Windows Login program I can get the machine to boot a different kernel or boot in single user mode
Comment 7 Neil 2012-11-07 18:55:36 UTC 
I agree in principal, but speaking purely as an end-user:

I use WinXP for most gaming and Fedora/KDE for everything else.  When I decide to play a Windows game it's real convenient being able to hit Leave->Restart and select WinXP then just walk away while waiting for WinXP to boot up (which takes a while).

Handy feature and easier than waiting to catch the grub boot menu.
Comment 8 Daniel Walsh 2012-11-07 20:12:21 UTC 
Which is why we have a boolean for you.  Most users do not need this, in gdm it is not even available.
Comment 9 Neil 2012-11-07 20:29:49 UTC 
Understood and thanks.... for all of this stuff ;)