Go to main content
Oracle® Linux Fault Management Architecture Software User's Guide

Exit Print View

Updated: October 2015
 
 

fmd Daemon Might Not Start if SELinux is Running

The fmd daemon might not start if SELinux is running. SELinux protects access to certain directories and files. In particular, access to log files in /var/opt/fma/fm/fmd might be denied.

This issue appears when attempting to execute fmadm commands. For example, you see the following error:

fmadm: failed to connect to fmd: RPC: Program not registered

In addition, you can find error messages in the system log like the following:

May 28 03:07:14 sca05-0a81e7e6 setroubleshoot: SELinux is preventing logrotate from read access on the directory /var/opt/fma/fm/fmd. For complete SELinux messages. run sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1

  1. Follow the instructions for running sealert as specified in the log file. For example:

    sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1

    The output looks similar to:

    [root@testserver16 ~]# sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1
SELinux is preventing logrotate from read access on the directory /var/opt/fma/fm/fmd.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow logrotate to have read access on the fmd directory
Then you need to change the label on /var/opt/fma/fm/fmd
Do
# semanage fcontext -a -t FILE_TYPE '/var/opt/fma/fm/fmd'
where FILE_TYPE is one of the following: abrt_var_cache_t, var_lib_t, configfile, domain, 
var_log_t, var_run_t, cert_type, configfile, net_conf_t, inotifyfs_t, logrotate_t, 
sysctl_kernel_t, mailman_log_t, sysctl_crypto_t, admin_home_t, varnishlog_log_t, 
openshift_var_lib_t, user_home_dir_t, var_lock_t, bin_t, device_t, devpts_t, locale_t, 
etc_t, tmp_t, usr_t, proc_t, abrt_t, device_t, lib_t, logrotate_var_lib_t, root_t, 
etc_t, usr_t, sssd_public_t, sysfs_t, httpd_config_t, logrotate_tmp_t, logfile, 
pidfile, named_cache_t, munin_etc_t, mysqld_etc_t, acct_data_t, security_t, var_spool_t, 
nscd_var_run_t, sysctl_kernel_t, nfs_t.
Then execute:
restorecon -v '/var/opt/fma/fm/fmd'

*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that logrotate should be allowed read access on the fmd directory by 
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
  2. Execute the following commands as suggested in the log file:

    grep logrotate /var/log/audit/audit.log | audit2allow -M name

    semodule -i name.pp

    Where name is the name of your custom policy module file.

  3. Repeat steps 1 and 2 for all the SELinux file access failures. Give different names for each of the .pp files
  4. When done, reboot the system.

    Executing fmadm commands should now return proper output without a failure message.

Copyright © 2014, 2015, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next