The failure to join is because the pmjoin_plugin is requesting at the policy server-side pmpolicy to execute /usr/sbin/sshd to manipulate the authorized_keys file. and since the SELinux context of sshd (sshd_t) is different than pmpolicy context (system_u:object_r:bin_t:s0 ) then SELinux blocks the operation.
Permanent fix:
Note: You will need to reconfigure the Policy Server
You will need the SELinux policy development tool installed on the policy server system.
Install them with the following command:
sudo yum install selinux-policy-devel
Then unconfig and config the policy server with the --selinux parameter as in:
/opt/quest/sbin/pmsrvconfig --unconfig
/opt/quest/sbin/pmsrvconfig --selinux
You will see the following output during configuration:
*** Build SELinux policy module [ OK ]
*** Install SELinux policy module [ OK ]
*** Reloading pmloadcheck configuration [ OK ]
Retry pmjoin_plugin
/opt/quest/sbin/pmjoin_plugin
Workaround 01 on policy server:
Set SELinux to disabled or permissive and rejoin.
Check the status: sestatus
Temporarily set SELinux to permissive:
setenforce 0
Retry pmjoin_plugin
Enable SELinux to its enforced value
setenforce 1
Workaround 02 on policy server (consult with your Security Department first):
Set SELinux to permanently disabled:
modify /etc/selinux/config
SELINUX=disabled
reboot (mandatory)
Workaround 03 (advanced, same as Permanent fix but without uncofiguring the policy server)
You will need the SELinux policy development tool installed on the policy server system.
Install them with the following command:
sudo yum install selinux-policy-devel
Manually make and install the selinux policies
cd /opt/quest/qpm4u/selinux
make -f /usr/share/selinux/devel/Makefile pmlocald.pp
Output of make:
Compiling targeted pmlocald module
/usr/bin/checkmodule: loading policy configuration from tmp/pmlocald.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 19) to tmp/pmlocald.mod
Creating targeted pmlocald.pp policy package
rm tmp/pmlocald.mod.fc tmp/pmlocald.mod
Load the maked policy and change some file contexts
semodule -i /opt/quest/qpm4u/selinux/pmlocald.pp
sudo restorecon /opt/quest/sbin/qpm4u_721_0/pmlocald
sudo restorecon /opt/quest/libexec/qpm4u_721_0/pmsesh
sudo restorecon /opt/quest/libexec/qpm4u_721_0/pmconfpoluser
sudo restorecon -R /var/opt/quest/qpm4u/pmpolicy
Stop and restart Safeguard for sudo
systemctl stop pmserviced
systemctl stop pmlogsrvd
systemctl stop pmloadcheck
systemctl start pmserviced
systemctl start pmlogsrvd
systemctl start pmloadcheck
Retry pmjoin_plugin join operation. It will complete succesfully