Bug 462994 - KDM tries to access /boot which is denied by SElinux policy
Summary: KDM tries to access /boot which is denied by SElinux policy
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase-workspace
Version: 9
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Than Ngo
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 504125 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-20 08:13 UTC by Benjamin Lewis
Modified: 2009-06-04 23:17 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-20 17:26:51 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
AVC messages (533 bytes, text/plain)
2008-09-20 08:13 UTC, Benjamin Lewis
no flags Details

Description Benjamin Lewis 2008-09-20 08:13:03 UTC
Created attachment 317277 [details]
AVC messages

Description of problem:
When the shutdown menu is selected in KDE an AVC message and SElinux denial is logged for KDM (attached)

Version-Release number of selected component (if applicable):
kdebase-workspace-4.1.0-8.fc9.i386

How reproducible:
Every time shutdown menu is opened

Steps to Reproduce:
1. Run setroubleshoot or tail -f /var/log/audit/audit.log
2. Open shutdown menu (Any of the options on "Leave" works)
3. Watch AVC message appear in log
  
Actual results:
SElinux denies access and an AVC message is logged

Expected results:
No AVC message and access is allowed - or equally, kdm stops trying to access /boot

Additional info:
I don't think this impacts usability in any way so I class it more of an annoyance

Comment 1 Rex Dieter 2008-09-20 10:54:03 UTC
Did you modify /etc/kde/kdm/kdmrc at all?  
I see AVC messages too, but only when/if I modify the Bootloader options (and the selinux folks vetoed my request to allow that).

Comment 2 Benjamin Lewis 2008-09-20 17:16:15 UTC
Yeah, I set BootManager=Grub , that seems to be the problem. If the selinux side can't be fixed, can we just patch that feature out or somthing, as I'm assuming that whatever feature that enables won't work as it is?

Comment 3 Kevin Kofler 2008-09-20 17:25:53 UTC
The feature is disabled by default for a reason.

If you want it to work, you can either disable SELinux (I'd recommend doing that anyway, but I'm known all around here as the "SELinux hater" ;-) ) or add a custom policy to allow this (see audit2allow, and Dan Walsh's blog where several ways to customize SELinux are described, I can't help you much with it as I don't use it).

Comment 4 Kevin Kofler 2008-09-20 17:26:51 UTC
Closing as WONTFIX, as we KDE folks can't fix it and the SELinux folks don't want to allow this in the default policy.

Comment 5 Benjamin Lewis 2008-09-20 17:29:46 UTC
Ok, thanks for helping (audit2allow was my first port of call as it happens, I just wanted to be sure it wasn't something generally fixable)

Comment 6 Kevin Kofler 2009-06-04 23:17:08 UTC
*** Bug 504125 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.