Article ID: 69303
Article Type: Troubleshooting
Last Modified:
After you install Commvault on a system that has SELinux enabled, Commvault services won't start automatically on bootup.
You can start Commvault services, but they don't start automatically at bootup.
If SELinux restrictions are in effect (which is the default on RHEL-family Linux distributions), it may prevent Commvault services from starting automatically on bootup if the labeling on Commvault's directories is not correct.
This situation is more likely to occur if new filesystem mounts have been added for Commvault installation.
1. To determine whether SELinux is enabled, run the sestatus command, as follows:
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
If the 'SELinux status' is 'enabled' and the 'Current mode' is 'enforcing', then SELinux restrictions are in effect.
After the starting of services fails, the journal will show a 'Permission denied' error when trying to start Commvault. Use the journalctl command, as follows:
# journalctl -u commvault.Instance001
-- Logs begin at Tue 2021-10-05 02:20:25 UTC, end at Thu 2021-12-02 00:54:18 UTC. --
Dec 02 00:54:18 lxcspre4 systemd[1]: Starting commvault Service...
Dec 02 00:54:18 lxcspre4 systemd[778446]: commvault.Instance001.service: Failed to execute command: Permission denied
Dec 02 00:54:18 lxcspre4 systemd[778446]: commvault.Instance001.service: Failed at step EXEC spawning /opt/commvault/Base/Galaxy: Permission denied
Dec 02 00:54:18 lxcspre4 systemd[1]: commvault.Instance001.service: Control process exited, code=exited status=203
Dec 02 00:54:18 lxcspre4 systemd[1]: commvault.Instance001.service: Failed with result 'exit-code'.
Dec 02 00:54:18 lxcspre4 systemd[1]: Failed to start commvault Service.
...
2. You can check the audit log for recent SELinux denials with the ausearch command, as follows:
# ausearch -ts recent -m avc -i
‑‑‑‑
type=AVC msg=audit(12/02/2021 00:53:04.266:1375) : avc: denied { read } for pid=1 comm=systemd name=Base dev="dm-0" ino=82614313 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
‑‑‑‑
type=PROCTITLE msg=audit(12/02/2021 00:53:04.269:1376) : proctitle=(Galaxy)
type=SYSCALL msg=audit(12/02/2021 00:53:04.269:1376) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x5580dc630430 a1=0x5580dc7537c0 a2=0x5580dc6614a0 a3=0x7fc23cb7bbc0 items=0 ppid=1 pid=778414 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(Galaxy) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(12/02/2021 00:53:04.269:1376) : avc: denied { read } for pid=778414 comm=(Galaxy) name=Base dev="dm-0" ino=82614313 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=lnk_file permissive=0
...
3. Apply the system default labels to Commvault's directories by running the restorecon command on them. If you're not sure of all the directories that the installation is using, run commvault status and review the output.
You can provide multiple paths when running restorecon, as follows:
# restorecon -Rv /opt/commvault /etc/CommVaultRegistry
Relabeled /opt/commvault/installer from unconfined_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:usr_t:s0
Relabeled /opt/commvault/galaxy_vm from unconfined_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:usr_t:s0
Relabeled /opt/commvault/Base64 from unconfined_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:usr_t:s0
Relabeled /opt/commvault/Base64/cvpkgrm from unconfined_u:object_r:unlabeled_t:s0 to unconfined_u:object_r:usr_t:s0
...
Note that the -v option will cause it to print all changes being made, so if there is no output then nothing was done.
