SELinux is preventing kdm (xdm_t) "execute" bootloader_exec_t
Rex Dieter
rdieter at math.unl.edu
Sun Aug 2 20:25:27 UTC 2009
On 08/02/2009 02:47 PM, Garry T. Williams wrote:
> I noticed these denials (denying execute of grub by kdm) appearing
> about a month ago (Fedora 11) whenever I select the "Leave" option on
> the desktop right-click menu. I did a search and found this:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=505408
>
> Daniel Walsh (Mr. Selinux for Red Hat) says it will not be fixed
> because it's considered a security exposure to allow the login screen
> to "modify grub without logging in".
>
> What's up with this? What is kdm up to here?
If you modify /etc/kde/kdmrc away from the default
BootManager=None
to
BootManager=Grub
You'll get the policy denials per the aforementioned bug, true. It
requires low-level access to the bootloader to control the next boot,
which Dan wasn't willing to grant by default. If you wish to do so
anyway, you'll need add your own selinux policy to explictly allow that
(or disable selinux).
Does that cover your question(s)?
-- Rex
More information about the kde
mailing list