Bug 660148 - SELinux preventing KDM from notifying Grub of next default boot option
SELinux preventing KDM from notifying Grub of next default boot option
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-12-05 16:06 EST by Greg Martyn
Modified: 2011-05-26 16:23 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-05-26 16:23:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Greg Martyn 2010-12-05 16:06:19 EST
Description of problem:
For context, see https://bugzilla.redhat.com/show_bug.cgi?id=654575#c4

I found in /var/log/messages the final missing audit message that should solve bug #654575

kernel: [ 6616.404394] type=1400 audit(1291573879.954:9): avc:  denied  { write } for  pid=13796 comm="grub" name="stage2" dev=sdf1 ino=65035 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy.noarch                                                                3.9.7-14.fc14

How reproducible:

Steps to Reproduce:
1. setsebool -P xdm_exec_bootloader=1
2. Choose reboot from KDE menu
3. Click and hold the reboot button to see a list of boot options
4. Select one
Actual results:
Grub doesn't immediately boot into the selected option. It does if selinux is disabled.

Expected results:
Grub boots immediately into the selected option, with selinux enabled as long as xdm_exec_bootloader boolean is set

Additional info:
Comment 1 Greg Martyn 2010-12-05 16:08:40 EST
audit2allow says:

#============= xdm_t ==============
allow xdm_t boot_t:file write;
Comment 2 Miroslav Grepl 2010-12-06 10:05:48 EST
So it completely works with the following local policy

# grep xdm_t /var/log/messages | audit2allow -M mypol
# semodule -i mypol.pp

in enforcing mode?
Comment 3 Daniel Walsh 2010-12-06 10:19:24 EST
Which is why I hate this function.  I think the tool is actually modifying /boot/grub/grub.conf
Comment 4 Miroslav Grepl 2010-12-06 11:17:15 EST
I also think so and I really don't like idea to add this to the policy (to the boolean in this case).
Comment 5 Greg Martyn 2010-12-06 14:19:39 EST
It tries to run grub-set-default, which doesn't exist in fedora, then falls back to running grub and telling it to "savedefault --default=%d --once", (where %d is the index of the boot entry selected) which requires the grub-0.97-once.patch, which fedora apparently has.
Comment 6 Greg Martyn 2010-12-06 14:20:42 EST
The code is in svn://anonsvn.kde.org/home/kde/trunk/KDE/kdebase/workspace/kdm/backend/bootman.c
Comment 7 Greg Martyn 2010-12-06 14:23:07 EST
This bug is tangentially related:
Comment 8 Greg Martyn 2010-12-06 14:23:55 EST
Re: comment #2
Yes. It works now that I've done that.

Note You need to log in before you can comment on or make changes to this bug.