RHEL: SELinux is preventing systemd from ioctl access on the file /var/opt/omi/run/omiserver.pid #778
Description
Hello,
After installing omi-1.9.1-0.x86_64 and scx-1.9.1-0.x86_64 I get the following SELinux message:
SELinux is preventing systemd from ioctl access on the file /var/opt/omi/run/omiserver.pid. For complete SELinux messages run: sealert -l df8e516c-d9cb-4dc0-9139-fab1350ac564
I have checked the SELinux policies as follows:
semanage fcontext -l | grep omi
/var/opt/omi/log(/.*)? all files system_u:object_r:var_log_t:s0
/var/opt/omi/run/omiserver.pid all files system_u:object_r:var_t:s0
ls -lZ /var/opt/omi/run/omiserver.pid
-rw-r--r--. 1 root root system_u:object_r:var_t:s0 5 Nov 19 08:52 /var/opt/omi/run/omiserver.pid
Based on this the .pid file has the correct policy but the issue still exists.
Also below is the output of the sealert:
sealert -l df8e516c-d9cb-4dc0-9139-fab1350ac564
SELinux is preventing systemd from ioctl access on the file /var/opt/omi/run/omiserver.pid.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow systemd to have ioctl access on the omiserver.pid file
Then you need to change the label on /var/opt/omi/run/omiserver.pid
Do
semanage fcontext -a -t FILE_TYPE '/var/opt/omi/run/omiserver.pid'
where FILE_TYPE is one of the following: NetworkManager_dispatcher_console_var_run_t,.............., zoneminder_unit_file_t, zoneminder_var_run_t.
Then execute:
restorecon -v '/var/opt/omi/run/omiserver.pid'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that systemd should be allowed ioctl access on the omiserver.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c 'systemd' --raw | audit2allow -M my-systemd
semodule -X 300 -i my-systemd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/opt/omi/run/omiserver.pid [ file ]
Source systemd
Source Path systemd
Port
Host RHEL9-Base-Image
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.1.53-5.el9_6.noarch
Local Policy RPM selinux-policy-targeted-38.1.53-5.el9_6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name host
Platform Linux host
5.14.0-570.52.1.el9_6.x86_64 #1 SMP
PREEMPT_DYNAMIC Sat Oct 4 01:07:07 EDT 2025 x86_64
x86_64
Alert Count 5
First Seen 2025-11-19 08:23:13 CET
Last Seen 2025-11-19 08:52:54 CET
Local ID df8e516c-dfff-4dc0-ccccf-fab1df0dc564
Raw Audit Messages
type=AVC msg=audit(1763538774.867:318): avc: denied { ioctl } for pid=1 comm="systemd" path="/var/opt/omi/run/omiserver.pid" dev="dm-4" ino=8533120 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
Hash: systemd,init_t,var_t,file,ioctl
If I change the selinux fcontext of /var/opt/omi/run(/.*)? to var_run_t, the SELinux message is gone. Is there any custom policies that are missing/not part of omi installation?