For others who may encounter this problem in the future. You will see this error on RHEL 8 and derivatives if you are using the tar.gz installation and fapolicyd is enabled and you have not whitelisted the splunk installation directory To confirm whether fapolicyd is preventing you from running splunk you can use the following audit log search command sudo ausearch --start today -m fanotify -i you will see output like this: node=rhel8.example.com type=PROCTITLE msg=audit(03/14/2022 17:43:30.150:21294716) : proctitle=/opt/splunk/bin/splunk start node=rhel8.example.com type=PATH msg=audit(03/14/2022 17:43:30.150:21294716) : item=0 name=/opt/splunk/bin/python3.7 inode=4328145 dev=fd:03 mode=file,555 ouid=splunk ogid=splunk rdev=00:00 obj=unconfined_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 node=rhel8.example.com type=CWD msg=audit(03/14/2022 17:43:30.150:21294716) : cwd=/home/lamech node=rhel8.example.com type=SYSCALL msg=audit(03/14/2022 17:43:30.150:21294716) : arch=x86_64 syscall=execve success=no exit=EPERM(Operation not permitted) a0=0x5604c24f1980 a1=0x7ffeb0c870d0 a2=0x7ffeb0c86f40 a3=0x5 items=1 ppid=228305 pid=228318 auid=lamech uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=splunk exe=/opt/splunk/bin/splunk subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) node=rhel8.example.com type=FANOTIFY msg=audit(03/14/2022 17:43:30.150:21294716) : resp=deny ... View more