On an upgrade, /etc/lilo.conf is changed to contain information on the new kernel images, and removes the information on old kernels installed via RPM. Otherwise, it largely leaves the file "as-is". But, when it does so, it opens a completely new file for the new /etc/lilo.conf (after moving the old one to .rpmsave). Without checking permissions on the rpmsave, it sets them to 0644. This is a problem on systems which have the "restrict" keyword and a password in the file to prevent users from booting into single user mode and now to also prevent being able to boot into anaconda reconfig mode. As /etc/lilo.conf.rpmsave maintains the correct permissions, probably the easiest thing to do would be to check the permissions on it and use them for the chmod instead if it exists in the write function of lilo.py
Mr. Katz to the rescue again :-) I am not in front of a machine right now, but am 99% sure that you are right about this. Will add it to list of things for fixing.
This issue is fixed and the fix will show up in the next RawHide that we cut.