Description of problem: For context, see https://bugzilla.redhat.com/show_bug.cgi?id=654575#c4 I found in /var/log/messages the final missing audit message that should solve bug #654575 kernel: [ 6616.404394] type=1400 audit(1291573879.954:9): avc: denied { write } for pid=13796 comm="grub" name="stage2" dev=sdf1 ino=65035 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy.noarch 3.9.7-14.fc14 How reproducible: Always Steps to Reproduce: 1. setsebool -P xdm_exec_bootloader=1 2. Choose reboot from KDE menu 3. Click and hold the reboot button to see a list of boot options 4. Select one Actual results: Grub doesn't immediately boot into the selected option. It does if selinux is disabled. Expected results: Grub boots immediately into the selected option, with selinux enabled as long as xdm_exec_bootloader boolean is set Additional info:
audit2allow says: #============= xdm_t ============== allow xdm_t boot_t:file write;
So it completely works with the following local policy # grep xdm_t /var/log/messages | audit2allow -M mypol # semodule -i mypol.pp in enforcing mode?
Which is why I hate this function. I think the tool is actually modifying /boot/grub/grub.conf
I also think so and I really don't like idea to add this to the policy (to the boolean in this case).
It tries to run grub-set-default, which doesn't exist in fedora, then falls back to running grub and telling it to "savedefault --default=%d --once", (where %d is the index of the boot entry selected) which requires the grub-0.97-once.patch, which fedora apparently has.
The code is in svn://anonsvn.kde.org/home/kde/trunk/KDE/kdebase/workspace/kdm/backend/bootman.c
This bug is tangentially related: https://bugzilla.redhat.com/show_bug.cgi?id=212649
Re: comment #2 Yes. It works now that I've done that.