Bug 660148 - SELinux preventing KDM from notifying Grub of next default boot option
Summary: SELinux preventing KDM from notifying Grub of next default boot option
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: Unspecified
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-05 21:06 UTC by Greg Martyn
Modified: 2011-05-26 20:23 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-26 20:23:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Greg Martyn 2010-12-05 21:06:19 UTC
Description of problem:
For context, see https://bugzilla.redhat.com/show_bug.cgi?id=654575#c4

I found in /var/log/messages the final missing audit message that should solve bug #654575

kernel: [ 6616.404394] type=1400 audit(1291573879.954:9): avc:  denied  { write } for  pid=13796 comm="grub" name="stage2" dev=sdf1 ino=65035 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=file


Version-Release number of selected component (if applicable):
selinux-policy.noarch                                                                3.9.7-14.fc14

How reproducible:
Always

Steps to Reproduce:
1. setsebool -P xdm_exec_bootloader=1
2. Choose reboot from KDE menu
3. Click and hold the reboot button to see a list of boot options
4. Select one
  
Actual results:
Grub doesn't immediately boot into the selected option. It does if selinux is disabled.

Expected results:
Grub boots immediately into the selected option, with selinux enabled as long as xdm_exec_bootloader boolean is set

Additional info:

Comment 1 Greg Martyn 2010-12-05 21:08:40 UTC
audit2allow says:

#============= xdm_t ==============
allow xdm_t boot_t:file write;

Comment 2 Miroslav Grepl 2010-12-06 15:05:48 UTC
So it completely works with the following local policy

# grep xdm_t /var/log/messages | audit2allow -M mypol
# semodule -i mypol.pp

in enforcing mode?

Comment 3 Daniel Walsh 2010-12-06 15:19:24 UTC
Which is why I hate this function.  I think the tool is actually modifying /boot/grub/grub.conf

Comment 4 Miroslav Grepl 2010-12-06 16:17:15 UTC
I also think so and I really don't like idea to add this to the policy (to the boolean in this case).

Comment 5 Greg Martyn 2010-12-06 19:19:39 UTC
It tries to run grub-set-default, which doesn't exist in fedora, then falls back to running grub and telling it to "savedefault --default=%d --once", (where %d is the index of the boot entry selected) which requires the grub-0.97-once.patch, which fedora apparently has.

Comment 6 Greg Martyn 2010-12-06 19:20:42 UTC
The code is in svn://anonsvn.kde.org/home/kde/trunk/KDE/kdebase/workspace/kdm/backend/bootman.c

Comment 7 Greg Martyn 2010-12-06 19:23:07 UTC
This bug is tangentially related:
https://bugzilla.redhat.com/show_bug.cgi?id=212649

Comment 8 Greg Martyn 2010-12-06 19:23:55 UTC
Re: comment #2
Yes. It works now that I've done that.


Note You need to log in before you can comment on or make changes to this bug.