Bug 504125 - SELinux is preventing kdm (xdm_t) "execute" bootloader_exec_t.
SELinux is preventing kdm (xdm_t) "execute" bootloader_exec_t.
Status: CLOSED DUPLICATE of bug 462994
Product: Fedora
Classification: Fedora
Component: kdebase-workspace (Show other bugs)
rawhide
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-04 07:47 EDT by Matthias
Modified: 2009-06-05 04:29 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-04 08:44:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthias 2009-06-04 07:47:18 EDT
During KDE logout an SELinux Error message pops up.


1. enable kdm
2. Set in KDE system settings under "Login Manager" -> "Shutdown" -> "Boot manager" -> "Grub"
3. Set in KDE system settings under "Session Manager" "Confirm logout" and "Offer shutdown options"
Comment 1 Daniel Walsh 2009-06-04 08:44:01 EDT
Doctor Doctor, It hurts when I do this,  Don't do that.

We are not going to allow the login program to manipulate the grub table with out logging in.  If you want this functionality you will need to modify policy using audit2allow -M mypol.
Comment 2 Matthias 2009-06-04 09:28:02 EDT
Well, guess I can understand why you are unhappy about the idea.

On the other hand; the KDE setting is there and it is a convenient function.

Maybe the KDE Login Manager setup GUI should be changed if such a grub table manipulation is considered unsafe.
Comment 3 Daniel Walsh 2009-06-04 13:29:11 EDT
There are lots of ways, stuff can be configured that SELinux will not allow.  So I am not sure this needs to be removed, but from a security point of view, I do not believe it is a good idea.
Comment 4 Kevin Kofler 2009-06-04 19:17:08 EDT
For the record, this is a duplicate of non-bug 462994. That setting is disabled by default for a reason.

*** This bug has been marked as a duplicate of bug 462994 ***
Comment 5 Kevin Kofler 2009-06-04 19:18:29 EDT
Oh, and just disable SELinux if you want this to work.
Comment 6 Matthias 2009-06-05 04:29:20 EDT
Kevin, disabling SELinux was always one of the first things I have done after installing new Fedora versions since that feature was introduced. However I noticed that it works better in F11 and hardly interferes nowadays.

I have to admit that I haven't invested a lot of time in understanding how SELinux works. Would it be/ is it possible to add rules dynamically? I understand that you don't want kdm to mess with the bootloader by default. But in this case it is what the user wants. So the system should allow it after the setting was made.

Other possibility would be to add a button to the tool that reports SELinux issues in the task bar. It already offers solutions in some cases, e.g. when installing Google Earth, but it is damn painful to copy all the suggested commands from that tool to the command line and to execute them. A button "Permit this" would help a lot.

Note You need to log in before you can comment on or make changes to this bug.