SFA not starting when selinux is enabled in RHEL
search cancel

SFA not starting when selinux is enabled in RHEL


Article ID: 276445


Updated On:


CA Privileged Access Manager (PAM)


During the Socket Filter Agent (SFA) installation you disabled selinux on your RHEL machines. The SFA agent was installed successfully and the service started. But you have a requirement to have selinux enabled and enforcing. When you try to restart the SFA service with selinux enforcing, you get an error because selinux denies execution of /etc/rc.d/init.d/rc.gksfd:

rc.gksfd.service: Failed at step EXEC spawning /etc/rc.d/init.d/rc.gksfd: Permission denied


May affect any PAM SFA release as of November 2023.


The SELinux context of the rc.gksfd script was not set correctly during installation.


In directory /etc/rc.d/init.d, use command "ls -Z" to see the SELinux contexts of all the files. The rc.gksfd script likely has the wrong context compared to the other startup scripts. The easiest way to update its context is to use a working rc script as a reference:

sudo chcon --reference=<nameofascriptthatworks> rc.gksfd

Verify that the context was set properly with another "ls -Z". Now the rc.gksfd script should show the same SELinux context as the reference script.