Description of problem: The winbind service is being blocked from creating its local idmap database as well as its cache files and log files, due to SELinux restrictions. This breaks winbind operation when used with a local idmap database. I haven't tested it yet with a LDAP backend to see if it's working at all. Four example AVC denials below: Feb 4 13:10:52 sbonnevi-lt kernel: audit(1107540652.621:0): avc: denied { create } for pid=4651 exe=/usr/sbin/winbindd name=winbindd.log scontext=root:system_r:winbind_t tcontext=root:object_r:samba_log_t tclass=file Feb 4 13:10:52 sbonnevi-lt kernel: audit(1107540652.622:0): avc: denied { create } for pid=4651 exe=/usr/sbin/winbindd name=winbindd_idmap.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file Feb 4 13:10:52 sbonnevi-lt kernel: audit(1107540652.651:0): avc: denied { create } for pid=4652 exe=/usr/sbin/winbindd name=netsamlogon_cache.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file Feb 4 13:10:56 sbonnevi-lt kernel: audit(1107540656.814:0): avc: denied { create } for pid=4652 exe=/usr/sbin/winbindd name=winbindd_cache.tdb scontext=root:system_r:winbind_t tcontext=root:object_r:samba_var_t tclass=file It was my understanding from the current release notes that winbindd is not SUPPOSED to be a confined service, since it's not on the list. :( Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.52.1 samba*-3.0.10-1.4E
It should be added to the list. This bug is one of many that has been fixed but did not make the cut off for RC. It will be fixed in Update 1. You can grab the FC3 policy to test it out. Dan
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-251.html