Small SELinux issue with kdm and grub [solved]
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 9 13:48:01 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marko Vojinovic wrote:
> On Sunday 08 March 2009 23:39, Kevin Kofler wrote:
>> Marko Vojinovic wrote:
>>> I don't understand the last point. What is the feature of KDM that you
>>> talk about? I don't remember enabling any specific feature of KDM other
>>> than autologin. Is that it?
>> In the 5th tab of the KDM options, there's an option to set your boot
>> loader, it should be set to "None" (which is what we set it to by default).
>> If you set it to GRUB, KDM will try to talk to GRUB and SELinux will block
>> it.
>
> Aha! I found it!
>
> It was indeed set to grub instead of none. I really don't remember ever
> touching that setting, but memory can be misleading. Anyway, it doesn't
> matter anymore. I have set it to none and SELinux stopped complaining.
>
> Thanks! :-)
> Marko
>
Resoning for SELinux to deny this:
Login programs are becoming a lot larger, lots of software needs to be
run in order to allow "Assisted Technologies". Most of this software
can be executed by a non logged in user, so a bug in the software could
compromise the system. Allowing the login program to manipulate the
boot environment might allow a slightly compromised login program to
turn off security options like SELinux, or change other kernel options.
All this for arguable value.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkm1HhEACgkQrlYvE4MpobNhCgCggOCnAxHmMmQFWscYG2VAeIQQ
LiMAoOZXo8lg3elOJMP9IEzc3kas03g2
=VgF4
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list