Red Hat Bugzilla – Bug 125932
Accesses /root/.themes and maybe other things under /root
Last modified: 2008-08-02 19:40:33 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.2; Linux) (KHTML, like Gecko)
Description of problem:
RHGB and other system processes should not use /root for their configuration files. This is particularly important for graphical programs as changes for a root user X login should not affect the system boot process.
For good system management you want to track changes to all files that are used as part of the boot process to avoid unwelcome surprises when rebooting a server after a long period of uptime. When system programs such as RHGB access configuration files under /root this may cause problems, with a potential result of making the system unbootable.
Here are URLs for a couple of threads of discussion referencing this:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Boot a SE Linux machine with RHGB and the "strict" policy and observe the AVC messages.
Hum, looking at it a bit, it's hard. This would require running rhgb
under a different account than root, and this is a significant change,
I think that the best option is to modify the programs in question
to determine a configuration directory by a method other than
One possibility is using $HOME which could trivially be set to
another value. Another possibility is to have an environment
variable to specify the location ($GNOME_CONFIG maybe?), this could
be useful for many things other than solving this problem.
I agree that running rhgb as non-root is not the correct solution.
it's not possible, the lookup is done in gtk libraries
it would require a specific extension to gtk+ . It does not
use $HOME , but getpwent() .
Relying on a gtk+ enhancement is one way, I would first look
at running it as nobody instead, using setreuid() once X
has been started, this will be a pain because we will need to umount
the filesystem too, I'm not sure it will really work with gtk+ anyway.
Seen your depend on bug, this is unlikely to get fixed on time for FC3
honnestly. Especially if there is a gtk+ change involved !
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Closed per above message and lack of response. Note that FC2 is not even
supported by Fedora Legacy currently.