1. Oracle Hardware Management Pack 2.4 Linux Fault Management Architecture Software User's Guide
  2. Troubleshooting Oracle Linux Fault Management Architecture
  3. fmd Daemon Might Not Start if SELinux is Running

fmd Daemon Might Not Start if SELinux is Running

For the workaround instructions provided in this section, ensure that SELinux tools sealeart and audit2allow, which are part of the setroubleshoot tool set, are installed.

The fmd daemon might not start if SELinux is running. SELinux protects access to certain directories and files. In particular, access to log files in /var/opt/fma/fm/fmd might be denied.

This issue appears when attempting to execute fmadm commands. For example, you see the following error:

fmadm: failed to connect to fmd: RPC: Program not registered

In addition, you can find error messages in the system log like the following:

May 28 03:07:14 sca05-0a81e7e6 setroubleshoot: SELinux is preventing logrotate from read access on the directory /var/opt/fma/fm/fmd. For complete SELinux messages. run sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1

  1. Follow the instructions for running sealert as specified in the log file. For example:

    sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1

    The output looks similar to:

    [root@testserver16 ~]# sealert -l 9eb4cb40-9d2b-4428-980f-c4e46606aec1
SELinux is preventing logrotate from read access on the directory /var/opt/fma/fm/fmd.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow logrotate to have read access on the fmd directory
Then you need to change the label on /var/opt/fma/fm/fmd
Do
# semanage fcontext -a -t FILE_TYPE '/var/opt/fma/fm/fmd'
where FILE_TYPE is one of the following: abrt_var_cache_t, var_lib_t, configfile, domain, 
var_log_t, var_run_t, cert_type, configfile, net_conf_t, inotifyfs_t, logrotate_t, 
sysctl_kernel_t, mailman_log_t, sysctl_crypto_t, admin_home_t, varnishlog_log_t, 
openshift_var_lib_t, user_home_dir_t, var_lock_t, bin_t, device_t, devpts_t, locale_t, 
etc_t, tmp_t, usr_t, proc_t, abrt_t, device_t, lib_t, logrotate_var_lib_t, root_t, 
etc_t, usr_t, sssd_public_t, sysfs_t, httpd_config_t, logrotate_tmp_t, logfile, 
pidfile, named_cache_t, munin_etc_t, mysqld_etc_t, acct_data_t, security_t, var_spool_t, 
nscd_var_run_t, sysctl_kernel_t, nfs_t.
Then execute:
restorecon -v '/var/opt/fma/fm/fmd'

*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that logrotate should be allowed read access on the fmd directory by 
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
  2. Execute the following commands as suggested in the log file:

    grep logrotate /var/log/audit/audit.log | audit2allow -M name

    semodule -i name.pp

    Where name is the name of your custom policy module file.

  3. Repeat steps 1 and 2 for all the SELinux file access failures. Give different names for each of the .pp files
  4. When done, reboot the system.

    Executing fmadm commands should now return proper output without a failure message.

Parent topic: Troubleshooting Oracle Linux Fault Management Architecture