Summary: SELinux is preventing nm-system-setti (NetworkManager_t) "getattr" to /dev/root (fixed_disk_device_t). Detailed Description: SELinux denied access requested by nm-system-setti. It is not expected that this access is required by nm-system-setti and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/root, restorecon -v '/dev/root' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects /dev/root [ blk_file ] Source nm-system-setti Source Path /usr/sbin/nm-system-settings Port <Unknown> Host home1-linux Source RPM Packages NetworkManager-0.7.0-0.9.4.svn3675.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-64.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name home1-linux Platform Linux home1-linux 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun 10 16:27:49 EDT 2008 i686 i686 Alert Count 3 First Seen Sun 15 Jun 2008 21:04:10 IST Last Seen Sat 21 Jun 2008 09:04:20 IST Local ID 29016118-4aa9-48b1-9a7c-8d52ef87e710 Line Numbers Raw Audit Messages host=home1-linux type=AVC msg=audit(1214035460.344:20): avc: denied { getattr } for pid=2833 comm="nm-system-setti" path="/dev/root" dev=tmpfs ino=274 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file host=home1-linux type=SYSCALL msg=audit(1214035460.344:20): arch=40000003 syscall=195 success=no exit=-13 a0=90167d a1=bf8fa26c a2=d4dff4 a3=90167d items=0 ppid=1 pid=2833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-68.fc9.noarch
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.