Bug 2096825
| Summary: | ipa trust-add fails due to a missing SELinux policy for samba-dcerpcd | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Varun Mylaraiah <mvarun> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.7 | CC: | dkarpele, lvrabec, mmalik, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | AutoVerified, TestBlocker, Triaged |
| Target Release: | 8.7 | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-104.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-08 10:44:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2089955 | ||
List of commits to backport: 88a28fc84 Allow samba-dcerpcd work with sssd e9ed412d4 Allow winbind_rpcd_t connect to self over a unix_stream_socket e6584a214 Update samba-dcerpcd policy for kerberos usage Additional ones are mentioned in bz#2083504. The test fails because the policy was not complete, needs also
commit 837f63743214363362334e910dcb06d35cd5cb99 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Mon Jun 27 17:22:40 2022 +0200
Update samba-dcerpcd policy for kerberos usage 2
https://gitlab.cee.redhat.com/SELinux/selinux-policy/-/commit/cd13e4d375d95fcb472eec6692f7b1b372f4e804?merge_request_iid=595 commit cd13e4d375d95fcb472eec6692f7b1b372f4e804 (HEAD -> rhel8.7-contrib, upstream/rhel8.7-contrib, origin/rhel8.7-contrib) Author: Zdenek Pytela <zpytela> Date: Mon Jun 27 17:22:40 2022 +0200 Update samba-dcerpcd policy for kerberos usage 2 These additional permissions were added: - read kerberos key tables - read generic SSL certificates Resolves: rhbz#2096825 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7691 |
Description of problem: ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996" due to a missing SELinux policy for samba-dcerpcd to access Kerberos configuration, TLS certificates, LDAP, and so on. Version-Release number of selected component (if applicable): ipa-server-4.9.8-8.module+el8.7.0+14711+1e093de3.x86_64 selinux-policy-3.14.3-100.el8.noarch selinux-policy-targeted-3.14.3-100.el8.noarch [root@master ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 Beta (Ootpa) [root@master ~]# setenforce 0 [root@master ~]# audit2allow -b #============= winbind_rpcd_t ============== allow winbind_rpcd_t devlog_t:lnk_file read; allow winbind_rpcd_t krb5_conf_t:file getattr; allow winbind_rpcd_t proc_net_t:file read; allow winbind_rpcd_t samba_log_t:dir create; allow winbind_rpcd_t usermodehelper_t:file read; [root@master ~]# kinit admin Password for admin: [root@master ~]# echo Secret123 | ipa trust-add win2019.test --admin Administrator --password ----------------------------------------------------- Added Active Directory trust for realm "win2019.test" ----------------------------------------------------- Realm name: win2019.test Domain NetBIOS name: WIN2019 Domain Security Identifier: S-1-5-21-776578084-2477431509-2006500417 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified [root@master ~]# audit2allow -b #============= init_t ============== allow init_t winbind_rpcd_t:dbus send_msg; #============= winbind_rpcd_t ============== allow winbind_rpcd_t devlog_t:lnk_file read; allow winbind_rpcd_t devlog_t:sock_file write; allow winbind_rpcd_t dirsrv_t:unix_stream_socket connectto; allow winbind_rpcd_t dirsrv_var_run_t:sock_file write; allow winbind_rpcd_t init_t:dbus send_msg; allow winbind_rpcd_t kernel_t:unix_dgram_socket sendto; allow winbind_rpcd_t krb5_conf_t:file { getattr open read }; allow winbind_rpcd_t krb5_keytab_t:dir search; allow winbind_rpcd_t net_conf_t:file { getattr open read }; allow winbind_rpcd_t proc_net_t:file read; allow winbind_rpcd_t samba_log_t:dir create; allow winbind_rpcd_t smbd_var_run_t:file { getattr lock open read }; allow winbind_rpcd_t sssd_public_t:dir read; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow winbind_rpcd_t sssd_public_t:file map; allow winbind_rpcd_t sssd_public_t:file { getattr open read }; allow winbind_rpcd_t sssd_t:unix_stream_socket connectto; allow winbind_rpcd_t sssd_var_lib_t:sock_file write; allow winbind_rpcd_t system_dbusd_t:dbus send_msg; allow winbind_rpcd_t system_dbusd_t:unix_stream_socket connectto; allow winbind_rpcd_t system_dbusd_var_run_t:sock_file write; allow winbind_rpcd_t usermodehelper_t:file { open read }; [root@master ~]# audit2why -b type=AVC msg=audit(1655197665.455:3125): avc: denied { read } for pid=32926 comm="samba-dcerpcd" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.458:3126): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.458:3127): avc: denied { create } for pid=32927 comm="samba-dcerpcd" name="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3128): avc: denied { getattr } for pid=32927 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3129): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3130): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3131): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3132): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3133): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3134): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3135): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3136): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3137): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3138): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3139): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3140): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3141): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3142): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3143): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.464:3144): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3145): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3146): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3147): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3148): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3149): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3150): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3151): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3152): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3153): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3154): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3155): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3156): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3157): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3158): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3159): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655197665.465:3160): avc: denied { read } for pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.268:3166): avc: denied { read } for pid=33292 comm="samba-dcerpcd" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.270:3167): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.270:3168): avc: denied { create } for pid=33293 comm="samba-dcerpcd" name="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3169): avc: denied { getattr } for pid=33293 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3170): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3171): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3172): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3173): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3174): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3175): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3176): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3177): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3178): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3179): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3180): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3181): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3182): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3183): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3184): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.274:3185): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3186): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3187): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3188): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3189): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3190): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3191): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3192): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3193): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3194): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3195): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3196): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3197): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3198): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3199): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3200): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3201): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3202): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655205434.275:3203): avc: denied { read } for pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.321:3208): avc: denied { read } for pid=33520 comm="samba-dcerpcd" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.323:3209): avc: denied { open } for pid=33521 comm="samba-dcerpcd" path="/proc/sys/kernel/core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.323:3209): avc: denied { read } for pid=33521 comm="samba-dcerpcd" name="core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.323:3210): avc: denied { create } for pid=33521 comm="samba-dcerpcd" name="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.325:3211): avc: denied { open } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.325:3211): avc: denied { read } for pid=33521 comm="samba-dcerpcd" name="initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.325:3212): avc: denied { getattr } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.325:3213): avc: denied { map } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Was caused by: The boolean domain_can_mmap_files was set incorrectly. Description: Allow domain to can mmap files Allow access by executing: # setsebool -P domain_can_mmap_files 1 type=AVC msg=audit(1655206265.325:3214): avc: denied { connectto } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.325:3214): avc: denied { write } for pid=33521 comm="samba-dcerpcd" name="nss" dev="vda3" ino=17045861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.329:3215): avc: denied { connectto } for pid=33521 comm="samba-dcerpcd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.329:3215): avc: denied { write } for pid=33521 comm="samba-dcerpcd" name="system_bus_socket" dev="tmpfs" ino=22654 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=USER_AVC msg=audit(1655206265.330:3216): pid=769 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=33521 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=USER_AVC msg=audit(1655206265.331:3217): pid=769 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=33521 tpid=1 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=USER_AVC msg=audit(1655206265.332:3218): pid=769 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.362 spid=1 tpid=33521 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.336:3219): avc: denied { getattr } for pid=33521 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.336:3220): avc: denied { open } for pid=33521 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.336:3220): avc: denied { read } for pid=33521 comm="samba-dcerpcd" name="krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.336:3221): avc: denied { read } for pid=33521 comm="samba-dcerpcd" name="krb5.include.d" dev="vda3" ino=614742 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.337:3222): avc: denied { getattr } for pid=33521 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda3" ino=25817632 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.337:3223): avc: denied { open } for pid=33521 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda3" ino=25817632 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.337:3223): avc: denied { read } for pid=33521 comm="samba-dcerpcd" name="resolv.conf" dev="vda3" ino=25817632 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.341:3224): avc: denied { open } for pid=33521 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.341:3224): avc: denied { read } for pid=33521 comm="samba-dcerpcd" name="krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.341:3225): avc: denied { lock } for pid=33521 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.341:3226): avc: denied { getattr } for pid=33521 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.341:3227): avc: denied { connectto } for pid=33521 comm="samba-dcerpcd" path="/run/slapd-IPADOMAIN-TEST.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.341:3227): avc: denied { write } for pid=33521 comm="samba-dcerpcd" name="slapd-IPADOMAIN-TEST.socket" dev="tmpfs" ino=126935 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.341:3228): avc: denied { sendto } for pid=33521 comm="samba-dcerpcd" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.341:3228): avc: denied { write } for pid=33521 comm="samba-dcerpcd" name="dev-log" dev="tmpfs" ino=13418 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.341:3228): avc: denied { read } for pid=33521 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.342:3229): avc: denied { search } for pid=33521 comm="samba-dcerpcd" name="krb5" dev="vda3" ino=25230565 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.717:3230): avc: denied { open } for pid=33533 comm="rpcd_lsad" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.717:3230): avc: denied { read } for pid=33533 comm="rpcd_lsad" name="initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.718:3231): avc: denied { getattr } for pid=33533 comm="rpcd_lsad" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1655206265.718:3232): avc: denied { map } for pid=33533 comm="rpcd_lsad" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Was caused by: The boolean domain_can_mmap_files was set incorrectly. Description: Allow domain to can mmap files Allow access by executing: # setsebool -P domain_can_mmap_files 1 type=AVC msg=audit(1655206265.912:3233): avc: denied { connectto } for pid=33537 comm="rpcd_lsad" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.