Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KarlH
Contributor II

Created on ‎03-10-2025 10:03 AM

Using SIEM 7.1.3, the RHEL 9.4 endpoint is using SELinux, it is failing to install Linux Agent

Hello,

 

Would appreciate any insightful details on why the installs might be failing

 

SELinux is enabled, these  following

packages are also installed:

policycoreutils-python

libselinux-utils

setools-console

 

I don't have the logs yet but any insights as to why the agents are failing install. Also what is the absolute highest version to safely install on RHEL 9.4? ARe Fortinet haveing issue with this latest version?

 

Agent Versions Attempted(Supervisor version 7.1.3):

  • Version 7.1.3: FSM Linux Agent not updated with the latest certificate.
  • Version 7.1.7: installed require Packages to enable SELinux still issue not resolved research done by vendor engineerand suggested attempt v7.2.4

Version 7.2.4: Vendor engineering team updated parts of the script related to SELinux  hence attempted this version

 

 

Can anyone please verify if they have a functioning Lunx agent on RHEL 9.4 SELinux? We are stuck.

Are we missing packages? what about these ?

 

libcap

audit

rsyslog

logrotate

at

perl

bind-utils

audispd-plugins

 

Thank you as always in advance!

 

Karl

Karl Henning, Security Engineer, CISSP
Karl Henning, Security Engineer, CISSP
Labels:
134
0 Kudos
2 REPLIES 2
AEK
SuperUser
SuperUser

Created on ‎03-10-2025 11:32 PM

Hi Karl

I'm old Unix/Linux school and when they introduced SELinux I couldn't find the time to master it as I should do. So when SELinux prevents me to install something, the solution for me was simple: Disable it, install what I need to install, then enable it again.

setenforce 0
--> install FSM agent
setenforce 1

Hope it helps.

AEK
AEK
106
0 Kudos
KarlH
Contributor II
In response to AEK

Created on ‎03-12-2025 10:00 AM

NEW TITLE:  

7.2.4 Agent on RHEL 9.4 using SELinux, via Proxy on 7.2.2 Collector is not seen by SIEM 7.1.3 (shows Disconnected)

 

 

Thanks AEK! , yep I am a long time OpenSUSE  guy as well.   

Well it turns out

Problem: The Agent does install, The SIEM does not see the Agent, it is showing disconnected

 

Given:

 

1.) customer is not willing to turn off SELinux in 9.4 RHE. Probably for legal/compliance and contractual obligations. 

2.) Linux Agent is 7.2.4 ( That agent DOES install.) While SELinux is enforced.

3.) Collector is 7.2.2

4.) Siem is 7.1.3 

5.) All TLS handshakes have been verified.

We are stuck with what we got. Other knowns.

 

Fortinet has already spent at least 3 or 4 hours troubleshooting. 

 

I need a link to a detailed doc or a crash course in how deep do these Linux agents go,  the kernel level? Communication to the SIEM is not happening all TLS and other standard trouble shooting have been completed and verified so we know its at the SELinux end point.

 

I really feel that Red Hat should get involved with helping to identify the logs that SELinux provides there must be clues somewhere. I really appreciate everyone insights.

Question. Where are all the logs for SELinux?

 

What about Audit Logs. Has Fortinet run into this issue with RHE 9.4 SELinux in the past for this or is this issue stand alone? 

 

Thank you!

 

Karl

 

 

Karl Henning, Security Engineer, CISSP
Karl Henning, Security Engineer, CISSP
80
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.