Bug 742485

Description of problem:

this is when a winStation joins a samba domain:

Sep 30 10:55:41 whale setroubleshoot: SELinux is preventing /bin/bash from execute access on the file nscd. For complete SELinux messages. run sealert -l 616bd29e-d86e-4270-be43-e63b59674123
Sep 30 10:55:41 whale setroubleshoot: SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/nscd. For complete SELinux messages. run sealert -l 26ec3e45-8b67-49a0-aa40-eb62c29aa68e
Sep 30 10:55:41 whale setroubleshoot: SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/nscd. For complete SELinux messages. run sealert -l 26ec3e45-8b67-49a0-aa40-eb62c29aa68e
Sep 30 10:55:46 whale smbd[59284]: [2011/09/30 10:55:46.715384,  0] passdb/pdb_interface.c:348(pdb_default_create_user)
Sep 30 10:55:46 whale smbd[59284]:   _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w "work14$"' gave 9
Sep 30 10:55:46 whale setroubleshoot: SELinux is preventing /bin/bash from execute access on the file nscd. For complete SELinux messages. run sealert -l 616bd29e-d86e-4270-be43-e63b59674123
Sep 30 10:55:47 whale setroubleshoot: SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/nscd. For complete SELinux messages. run sealert -l 26ec3e45-8b67-49a0-aa40-eb62c29aa68e
Sep 30 10:55:47 whale setroubleshoot: SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/nscd. For complete SELinux messages. run sealert -l 26ec3e45-8b67-49a0-aa40-eb62c29aa68e
Sep 30 10:55:57 whale dhcpd: DHCPREQUEST for 192.168.2.74 from 52:54:00:12:34:89 (WORK14) via br0
Sep 30 10:55:57 whale dhcpd: DHCPACK on 192.168.2.74 to 52:54:00:12:34:89 (WORK14) via br0
Sep 30 10:55:57 whale smbd[59284]: [2011/09/30 10:55:57.724571,  0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
Sep 30 10:55:57 whale smbd[59284]:   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client WORK14 machine account WORK14$

here is what sealer advises
SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/nscd.

*****  Plugin samba_share (75.5 confidence) suggests  ************************

If you want to allow bash to have getattr access on the nscd file
Then you need to change the label on '/etc/rc.d/init.d/nscd'
Do
# semanage fcontext -a -t samba_share_t '/etc/rc.d/init.d/nscd'
# restorecon  -v '/etc/rc.d/init.d/nscd'

*****  Plugin catchall_boolean (12.2 confidence) suggests  *******************

If you want to allow samba to share any file/directory read only.
Then you must tell SELinux about this by enabling the 'samba_export_all_ro' boolean.
Do
setsebool -P samba_export_all_ro 1

*****  Plugin catchall_boolean (12.2 confidence) suggests  *******************

If you want to allow samba to share any file/directory read/write.
Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean.
Do
setsebool -P samba_export_all_rw 1

*****  Plugin catchall (1.97 confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the nscd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:
somehow without generating a custom module, ideally maybe with a help of a boolean, these things would work?


Additional info: