Description of problem: I'm seeing the following error in setroubleshoot: """ Summary SELinux is preventing /usr/bin/kdm (xdm_t) "execute" to <Unknown> (bootloader_exec_t). Detailed Description SELinux denied access requested by /usr/bin/kdm. It is not expected that this access is required by /usr/bin/kdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:bootloader_exec_t:s0 Target Objects None [ file ] Affected RPM Packages kdebase-3.5.8-5.fc8 [application] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name mireille Platform Linux mireille 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 Alert Count 3 First Seen Fri 09 Nov 2007 06:17:08 AM PST Last Seen Fri 09 Nov 2007 02:37:32 PM PST Local ID 2f4ca290-1fb0-46d1-a29a-2b672bb96565 Line Numbers Raw Audit Messages avc: denied { execute } for comm=kdm dev=sda9 egid=0 euid=0 exe=/usr/bin/kdm exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=grub pid=3030 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:bootloader_exec_t:s0 tty=(none) uid=0 """ Version-Release number of selected component (if applicable): kdebase-3.5.8-5.fc8 How reproducible: Always Steps to Reproduce: (suspected) Make KDM aware of the boot manager: 1. Go to KDE Control Panel -> System Administration -> Login Manager -> Administrative Mode -> Shutdown 2. Select "Grub" as the boot manager 3. Log out and back in - the selinux error message appears
Forgot to mention in case you don't know how to enable KDM as the login manager: edit file /etc/sysconfig/desktop (create if doesn't already exist) and add a following line to it: DISPLAYMANAGER="KDE" This will make kdm the default login manager and KDE the default environment.
Update: the error also appears without actually logging out; it's sufficient to select Log Out from the KDE menu, and cancel out of it.
I cannot reproduce locally. Have you modified kdm's setup in anyway (to vary from the stock defaults)? Further, please 1. ensure your box is fully up-to-date 2. try touch /.autorelabel and reboot Does the problem persist?
Yes, the problem remains after relabel. The necessary parts to get this bug: 1) set the default window manager AND login manager to KDE/kdm - I used the method described in Comment #1 2) select "Grub" as the boot manager as described in "Steps to reproduce" in the original bug description. I verified that when I set boot manager to default "None", then log out and log back in - the problem disappears. It appears that logging out at least once is necessary for the setting to take full effect (and thus the bug to start/stop showing up)
What's the purpose of your setting the boot manager option to "grub" (afaik, that's the default anyway)?
This is not for "enabling grub" - this is for a nice KDE extra feature: if you have multiple grub entries, you may choose one to reboot to, in the logout dialog - during such reboot, the system doesn't make grub wait for input and just boots to whatever target you have chosen. For example, if you have a dual-boot with WinXP and Fedora is default, you can choose "reboot to Windows"
neat, so neat in fact I think we need to make that the default behavior, imo. So, other than seeing the selinux alert, do you experience any concrete problems?
Hrm, I can't get get this feature to work. With or without selinux being enabled.
(In reply to comment #8) > Hrm, I can't get get this feature to work. With or without selinux being enabled. /etc/sysconfig/desktop should have DISPLAYMANAGER="KDE" DESKTOP="KDE" and you should be running a KDE session :)
Yes, I have all that, it's the "if you have multiple grub entries, you may choose one to reboot to, in the logout dialog" feature that doesn't work for me.
Created attachment 295313 [details] boot choice example (In reply to comment #10) > Yes, I have all that, it's the > "if you have multiple grub entries, you may choose one to reboot to, in the > logout dialog" > feature that doesn't work for me. I don't know what to tell you, then :( As far as I know, using KDM/KDE and setting grub as the bootloader enables this menu (see screenshot)
P.S. have to press down and hold the reboot button for the menu to appear - otherwise it just follows default reboot
Thanks! It was the "Press down and hold" part that I was missing. Real Neat. Reassigning selinux-policy-targetted, see if we can get it updated to allow this.
Daniel, what do you think of allowing kdm the ability to nudge grub to select the next boot selection?
This looks like when you login you are running as xdm_t which is the problem. You should be logged in as unconfined_t. I think you have a problem with your pam configuration. Login, run a shell $ id -Z Should show unconfined_t, if it shows xdm_t you never transitioned properly.
For me (on my f7 box) anyway: $ id -Z user_u:system_r:unconfined_t
Alright I read the bug again. The login program will allow a non logged in user to change the way the machine reboots?
(In reply to comment #17) > Alright I read the bug again. The login program will allow a non logged in user > to change the way the machine reboots? Yes, the dialog for rebooting while not logged in also changes. (You probably already know this, but that dialog looks a little different) I can't confirm if that one also causes selinux error, since I'm running with selinux disabled (got really tired of all the warnings I can't even understand most of the time)
Re: Dan's comment #17: That's the gist of it, yeah. grub has a feature to be able to specify the default choice of the next boot, we'd like to allow kdm to use that. Feel free to respond with "what kind of crack are you smoking?" if you're not keen on allowing that via selinux-policy.
Konstantin, I don't know what your problem was/is, but the Bootloader=Grub feature worksforme on f7,f8 using selinux-policy-targeted Please consider relabeling your filesystem, and see if the problem(s) persist: touch /.autorelabel (re)enable selinux (if disabled, not just in permissive mode) reboot
I talked to the gdm developers and they think this is crackrock and should be removed from kdm. Allowing a non logged in user to change the boot/runlevel is not considered a great idea. Can you give a justification for this?
Shrug, folks can already tell the system to shutdown/restart on the login screen, then wait, and choose the next boot choice when grub's menu appears. kdm is simply offering the ability to skip the wait. But, as I said in comment #20, it would appear, afaict, that this feature works *now*. That said, I'm definitely ok concluding that this is all crackrock security-wise (and not enabling this feature by default).
What about an X Screen where I don't have access to the console? Does this work when I have a grub password? Of course some people argue that allowing the machine to be rebooted without logging in is also a security flaw. :^(
We're talking about defaults here, where kdm 1. Doesn't allow remote XDMCP 2. even with remote/xdmcp, non-local connections aren't allowed shutdown/reboot options anyway Wrt, grub passwords, dunno. I thought that only affected a users ability to modify an existing grub entry, not restrict which entries are choosable.
I have no idea, I am just throwing out possible problems with this.
Dan, thanks, so, afaict, the only low-priority issue I see left is whether selinux policy should address the "/usr/bin/kdm (xdm_t) "execute" to <Unknown> (bootloader_exec_t)" logged message or not. If the answer is no, then feel free to re-assign this back to kdebase.
I don't think fedora should support this feature.
OK, you heard the man, WONTFIX. Feel free to enable the feature and create a custom local selinux policy to allow that at your site.