Attempting to use the wins NSS module from samba-common with nscd results in the following: avc: denied { search } for pid=29246 exe=/usr/sbin/nscd name=samba dev=dm-1 ino=2229524 scontext=root:system_r:nscd_t tcontext=system_u:object_r:samba_etc_t tclass=dir avc: denied { search } for pid=29246 exe=/usr/sbin/nscd name=samba dev=dm-1 ino=2229524 scontext=root:system_r:nscd_t tcontext=system_u:object_r:samba_etc_t tclass=dir avc: denied { getattr } for pid=29246 exe=/usr/sbin/nscd path=/var/cache/samba dev=dm-1 ino=7241973 scontext=root:system_r:nscd_t tcontext=system_u:object_r:samba_var_t tclass=dir avc: denied { read } for pid=29246 exe=/usr/sbin/nscd name=unexpected.tdb dev=dm-1 ino=7242850 scontext=root:system_r:nscd_t tcontext=root:object_r:var_t tclass=file avc: denied { getattr } for pid=29246 exe=/usr/sbin/nscd path=/var/cache/samba dev=dm-1 ino=7241973 scontext=root:system_r:nscd_t tcontext=system_u:object_r:samba_var_t tclass=dir NSCD may also want write access to things in /var/cache/samba (it being a cache), but it obviously doesn't get that far. The winbind NSS module may also trigger something similar, although since that talks to an external daemon, it'll probably require different rules.
Please update to the latest policy yum update selinux-policy-targeted And try it again.
After updating to selinux-policy-targeted-1.21.14-2, relabeling /var/cache/samba (mostly var_t -> samba_var_t, nothing that should matter) and restarting nscd, I still get the same denials.