Red Hat Bugzilla – Bug 504125
SELinux is preventing kdm (xdm_t) "execute" bootloader_exec_t.
Last modified: 2009-06-05 04:29:20 EDT
During KDE logout an SELinux Error message pops up.
1. enable kdm
2. Set in KDE system settings under "Login Manager" -> "Shutdown" -> "Boot manager" -> "Grub"
3. Set in KDE system settings under "Session Manager" "Confirm logout" and "Offer shutdown options"
Doctor Doctor, It hurts when I do this, Don't do that.
We are not going to allow the login program to manipulate the grub table with out logging in. If you want this functionality you will need to modify policy using audit2allow -M mypol.
Well, guess I can understand why you are unhappy about the idea.
On the other hand; the KDE setting is there and it is a convenient function.
Maybe the KDE Login Manager setup GUI should be changed if such a grub table manipulation is considered unsafe.
There are lots of ways, stuff can be configured that SELinux will not allow. So I am not sure this needs to be removed, but from a security point of view, I do not believe it is a good idea.
For the record, this is a duplicate of non-bug 462994. That setting is disabled by default for a reason.
*** This bug has been marked as a duplicate of bug 462994 ***
Oh, and just disable SELinux if you want this to work.
Kevin, disabling SELinux was always one of the first things I have done after installing new Fedora versions since that feature was introduced. However I noticed that it works better in F11 and hardly interferes nowadays.
I have to admit that I haven't invested a lot of time in understanding how SELinux works. Would it be/ is it possible to add rules dynamically? I understand that you don't want kdm to mess with the bootloader by default. But in this case it is what the user wants. So the system should allow it after the setting was made.
Other possibility would be to add a button to the tool that reports SELinux issues in the task bar. It already offers solutions in some cases, e.g. when installing Google Earth, but it is damn painful to copy all the suggested commands from that tool to the command line and to execute them. A button "Permit this" would help a lot.