The fmd daemon might not start if SELinux is running. SELinux protects access to certain directories and files. In particular, access to log files in /var/opt/fma/fm/fmd might be denied.
This issue appears when attempting to execute fmadm commands. For example, you see the following error:
fmadm: failed to connect to fmd: RPC: Program not registered
In addition, you can find error messages in the system log like the following:
May 28 03:07:14 sca05-0a81e7e6 setroubleshoot: SELinux is preventing logrotate from read access on the directory /var/opt/fma/fm/fmd. For complete SELinux messages. run sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1
sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1
The output looks similar to:
[root@testserver16 ~]# sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1 SELinux is preventing logrotate from read access on the directory /var/opt/fma/fm/fmd. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow logrotate to have read access on the fmd directory Then you need to change the label on /var/opt/fma/fm/fmd Do # semanage fcontext -a -t FILE_TYPE '/var/opt/fma/fm/fmd' where FILE_TYPE is one of the following: abrt_var_cache_t, var_lib_t, configfile, domain, var_log_t, var_run_t, cert_type, configfile, net_conf_t, inotifyfs_t, logrotate_t, sysctl_kernel_t, mailman_log_t, sysctl_crypto_t, admin_home_t, varnishlog_log_t, openshift_var_lib_t, user_home_dir_t, var_lock_t, bin_t, device_t, devpts_t, locale_t, etc_t, tmp_t, usr_t, proc_t, abrt_t, device_t, lib_t, logrotate_var_lib_t, root_t, etc_t, usr_t, sssd_public_t, sysfs_t, httpd_config_t, logrotate_tmp_t, logfile, pidfile, named_cache_t, munin_etc_t, mysqld_etc_t, acct_data_t, security_t, var_spool_t, nscd_var_run_t, sysctl_kernel_t, nfs_t. Then execute: restorecon -v '/var/opt/fma/fm/fmd' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that logrotate should be allowed read access on the fmd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep logrotate /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
grep logrotate /var/log/audit/audit.log | audit2allow -M name
semodule -i name.pp
Where name is the name of your custom policy module file.
Executing fmadm commands should now return proper output without a failure message.