如果 SELinux 正在运行，则 fmd 守护进程可能不启动

如果 SELinux 正在运行，则 fmd 守护进程可能不启动。SELinux 保护对某些目录和文件的访问。特别是，可能会拒绝对 /var/opt/fma/fm/fmd 中的日志文件的访问。

当尝试执行 fmadm 命令时会出现该问题。例如，您会看到以下错误：

fmadm: failed to connect to fmd: RPC: Program not registered

此外，您可在系统日志中找到与以下内容类似的错误消息：

May 28 03:07:14 sca05-0a81e7e6 setroubleshoot: SELinux is preventing logrotate from read access on the directory /var/opt/fma/fm/fmd. For complete SELinux messages. run sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1

1. 按照日志文件中指定的有关运行 sealert 的说明进行操作。例如：

   sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1

   输出类似于以下内容：

   [root@testserver16 ~]# sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1
   SELinux is preventing logrotate from read access on the directory /var/opt/fma/fm/fmd.
   
   *****  Plugin catchall_labels (83.8 confidence) suggests  ********************
   
   If you want to allow logrotate to have read access on the fmd directory
   Then you need to change the label on /var/opt/fma/fm/fmd
   Do
   # semanage fcontext -a -t FILE_TYPE '/var/opt/fma/fm/fmd'
   where FILE_TYPE is one of the following: abrt_var_cache_t, var_lib_t, configfile, domain, 
   var_log_t, var_run_t, cert_type, configfile, net_conf_t, inotifyfs_t, logrotate_t, 
   sysctl_kernel_t, mailman_log_t, sysctl_crypto_t, admin_home_t, varnishlog_log_t, 
   openshift_var_lib_t, user_home_dir_t, var_lock_t, bin_t, device_t, devpts_t, locale_t, 
   etc_t, tmp_t, usr_t, proc_t, abrt_t, device_t, lib_t, logrotate_var_lib_t, root_t, 
   etc_t, usr_t, sssd_public_t, sysfs_t, httpd_config_t, logrotate_tmp_t, logfile, 
   pidfile, named_cache_t, munin_etc_t, mysqld_etc_t, acct_data_t, security_t, var_spool_t, 
   nscd_var_run_t, sysctl_kernel_t, nfs_t.
   Then execute:
   restorecon -v '/var/opt/fma/fm/fmd'
   
   *****  Plugin catchall (17.1 confidence) suggests  ***************************
   
   If you believe that logrotate should be allowed read access on the fmd directory by 
   default.
   Then you should report this as a bug.
   You can generate a local policy module to allow this access.
   Do
   allow this access for now by executing:
   # grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
   # semodule -i mypol.pp

2. 执行日志文件中建议的以下命令：

   grep logrotate /var/log/audit/audit.log | audit2allow -M name

   semodule -i name.pp

   其中 name 是您的定制策略模块文件的名称。

3. 针对所有 SELinux 文件访问故障重复步骤 1 和 2。为每个 .pp 文件提供不同的名称。
4. 完成后，重新引导系统。

   执行 fmadm 命令时，现在应返回正确的输出，而不会显示故障消息。