2096825 – ipa trust-add fails due to a missing SELinux policy for samba-dcerpcd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2096825 - ipa trust-add fails due to a missing SELinux policy for samba-dcerpcd

Summary: ipa trust-add fails due to a missing SELinux policy for samba-dcerpcd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.7
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.7
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2089955
TreeView+	depends on / blocked

Reported:	2022-06-14 11:39 UTC by Varun Mylaraiah
Modified:	2022-12-15 16:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.3-104.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-08 10:44:31 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1241	0	None	Merged	Update samba-dcerpcd policy for kerberos	2022-06-21 14:08:56 UTC
Github	fedora-selinux selinux-policy pull 1243	0	None	Merged	Allow winbind_rpcd_t connect to self over a unix_stream_socket	2022-06-21 14:08:59 UTC
Github	fedora-selinux selinux-policy pull 1248	0	None	Merged	Allow samba-dcerpcd work with sssd	2022-06-21 14:15:46 UTC
Red Hat Bugzilla	2083504	1	high	CLOSED	samba-dcerpcd and samba rpcd programs need selinux-policy permissions	2023-06-17 06:36:43 UTC
Red Hat Bugzilla	2096521	1	medium	CLOSED	ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996"	2023-06-09 06:38:50 UTC
Red Hat Issue Tracker	RHELPLAN-125208	0	None	None	None	2022-06-14 11:47:49 UTC
Red Hat Product Errata	RHBA-2022:7691	0	None	None	None	2022-11-08 10:44:46 UTC

Description Varun Mylaraiah 2022-06-14 11:39:55 UTC

Description of problem:
ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996" due to a missing SELinux policy for samba-dcerpcd to access Kerberos configuration, TLS certificates, LDAP, and so on.


Version-Release number of selected component (if applicable):
ipa-server-4.9.8-8.module+el8.7.0+14711+1e093de3.x86_64
selinux-policy-3.14.3-100.el8.noarch
selinux-policy-targeted-3.14.3-100.el8.noarch


[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.7 Beta (Ootpa)

[root@master ~]# setenforce 0
[root@master ~]# audit2allow -b

#============= winbind_rpcd_t ==============
allow winbind_rpcd_t devlog_t:lnk_file read;
allow winbind_rpcd_t krb5_conf_t:file getattr;
allow winbind_rpcd_t proc_net_t:file read;
allow winbind_rpcd_t samba_log_t:dir create;
allow winbind_rpcd_t usermodehelper_t:file read;

[root@master ~]# kinit admin
Password for admin:

[root@master ~]# echo Secret123 | ipa trust-add win2019.test --admin Administrator --password
-----------------------------------------------------
Added Active Directory trust for realm "win2019.test"
-----------------------------------------------------
  Realm name: win2019.test
  Domain NetBIOS name: WIN2019
  Domain Security Identifier: S-1-5-21-776578084-2477431509-2006500417
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified


[root@master ~]# audit2allow -b

#============= init_t ==============
allow init_t winbind_rpcd_t:dbus send_msg;

#============= winbind_rpcd_t ==============
allow winbind_rpcd_t devlog_t:lnk_file read;
allow winbind_rpcd_t devlog_t:sock_file write;
allow winbind_rpcd_t dirsrv_t:unix_stream_socket connectto;
allow winbind_rpcd_t dirsrv_var_run_t:sock_file write;
allow winbind_rpcd_t init_t:dbus send_msg;
allow winbind_rpcd_t kernel_t:unix_dgram_socket sendto;
allow winbind_rpcd_t krb5_conf_t:file { getattr open read };
allow winbind_rpcd_t krb5_keytab_t:dir search;
allow winbind_rpcd_t net_conf_t:file { getattr open read };
allow winbind_rpcd_t proc_net_t:file read;
allow winbind_rpcd_t samba_log_t:dir create;
allow winbind_rpcd_t smbd_var_run_t:file { getattr lock open read };
allow winbind_rpcd_t sssd_public_t:dir read;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow winbind_rpcd_t sssd_public_t:file map;
allow winbind_rpcd_t sssd_public_t:file { getattr open read };
allow winbind_rpcd_t sssd_t:unix_stream_socket connectto;
allow winbind_rpcd_t sssd_var_lib_t:sock_file write;
allow winbind_rpcd_t system_dbusd_t:dbus send_msg;
allow winbind_rpcd_t system_dbusd_t:unix_stream_socket connectto;
allow winbind_rpcd_t system_dbusd_var_run_t:sock_file write;
allow winbind_rpcd_t usermodehelper_t:file { open read };



[root@master ~]# audit2why -b
type=AVC msg=audit(1655197665.455:3125): avc:  denied  { read } for  pid=32926 comm="samba-dcerpcd" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.458:3126): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.458:3127): avc:  denied  { create } for  pid=32927 comm="samba-dcerpcd" name="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3128): avc:  denied  { getattr } for  pid=32927 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3129): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3130): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3131): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3132): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3133): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3134): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3135): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3136): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3137): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3138): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3139): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3140): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3141): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3142): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3143): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3144): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3145): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3146): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3147): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3148): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3149): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3150): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3151): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3152): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3153): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3154): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3155): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3156): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3157): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3158): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3159): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3160): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.268:3166): avc:  denied  { read } for  pid=33292 comm="samba-dcerpcd" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.270:3167): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.270:3168): avc:  denied  { create } for  pid=33293 comm="samba-dcerpcd" name="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3169): avc:  denied  { getattr } for  pid=33293 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3170): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3171): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3172): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3173): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3174): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3175): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3176): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3177): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3178): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3179): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3180): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3181): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3182): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3183): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3184): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3185): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3186): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3187): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3188): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3189): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3190): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3191): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3192): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3193): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3194): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3195): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3196): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3197): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3198): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3199): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3200): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3201): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3202): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3203): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.321:3208): avc:  denied  { read } for  pid=33520 comm="samba-dcerpcd" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.323:3209): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/proc/sys/kernel/core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.323:3209): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.323:3210): avc:  denied  { create } for  pid=33521 comm="samba-dcerpcd" name="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3211): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3211): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3212): avc:  denied  { getattr } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3213): avc:  denied  { map } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
	The boolean domain_can_mmap_files was set incorrectly.
	Description:
	Allow domain to can mmap files

	Allow access by executing:
	# setsebool -P domain_can_mmap_files 1
type=AVC msg=audit(1655206265.325:3214): avc:  denied  { connectto } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3214): avc:  denied  { write } for  pid=33521 comm="samba-dcerpcd" name="nss" dev="vda3" ino=17045861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.329:3215): avc:  denied  { connectto } for  pid=33521 comm="samba-dcerpcd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.329:3215): avc:  denied  { write } for  pid=33521 comm="samba-dcerpcd" name="system_bus_socket" dev="tmpfs" ino=22654 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1655206265.330:3216): pid=769 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=33521 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1655206265.331:3217): pid=769 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=33521 tpid=1 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1655206265.332:3218): pid=769 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.362 spid=1 tpid=33521 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.336:3219): avc:  denied  { getattr } for  pid=33521 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.336:3220): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.336:3220): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.336:3221): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="krb5.include.d" dev="vda3" ino=614742 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.337:3222): avc:  denied  { getattr } for  pid=33521 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda3" ino=25817632 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.337:3223): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda3" ino=25817632 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.337:3223): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="resolv.conf" dev="vda3" ino=25817632 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3224): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3224): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3225): avc:  denied  { lock } for  pid=33521 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3226): avc:  denied  { getattr } for  pid=33521 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3227): avc:  denied  { connectto } for  pid=33521 comm="samba-dcerpcd" path="/run/slapd-IPADOMAIN-TEST.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3227): avc:  denied  { write } for  pid=33521 comm="samba-dcerpcd" name="slapd-IPADOMAIN-TEST.socket" dev="tmpfs" ino=126935 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3228): avc:  denied  { sendto } for  pid=33521 comm="samba-dcerpcd" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3228): avc:  denied  { write } for  pid=33521 comm="samba-dcerpcd" name="dev-log" dev="tmpfs" ino=13418 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3228): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.342:3229): avc:  denied  { search } for  pid=33521 comm="samba-dcerpcd" name="krb5" dev="vda3" ino=25230565 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.717:3230): avc:  denied  { open } for  pid=33533 comm="rpcd_lsad" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.717:3230): avc:  denied  { read } for  pid=33533 comm="rpcd_lsad" name="initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.718:3231): avc:  denied  { getattr } for  pid=33533 comm="rpcd_lsad" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.718:3232): avc:  denied  { map } for  pid=33533 comm="rpcd_lsad" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
	The boolean domain_can_mmap_files was set incorrectly.
	Description:
	Allow domain to can mmap files

	Allow access by executing:
	# setsebool -P domain_can_mmap_files 1
type=AVC msg=audit(1655206265.912:3233): avc:  denied  { connectto } for  pid=33537 comm="rpcd_lsad" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Comment 4 Zdenek Pytela 2022-06-21 14:15:47 UTC

List of commits to backport:
88a28fc84 Allow samba-dcerpcd work with sssd
e9ed412d4 Allow winbind_rpcd_t connect to self over a unix_stream_socket
e6584a214 Update samba-dcerpcd policy for kerberos usage

Additional ones are mentioned in bz#2083504.

Comment 10 Zdenek Pytela 2022-06-28 09:24:12 UTC

The test fails because the policy was not complete, needs also
commit 837f63743214363362334e910dcb06d35cd5cb99 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 27 17:22:40 2022 +0200

    Update samba-dcerpcd policy for kerberos usage 2

Comment 11 Zdenek Pytela 2022-06-28 18:34:44 UTC

https://gitlab.cee.redhat.com/SELinux/selinux-policy/-/commit/cd13e4d375d95fcb472eec6692f7b1b372f4e804?merge_request_iid=595
commit cd13e4d375d95fcb472eec6692f7b1b372f4e804 (HEAD -> rhel8.7-contrib, upstream/rhel8.7-contrib, origin/rhel8.7-contrib)
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 27 17:22:40 2022 +0200

    Update samba-dcerpcd policy for kerberos usage 2

    These additional permissions were added:
    - read kerberos key tables
    - read generic SSL certificates

    Resolves: rhbz#2096825

Comment 18 errata-xmlrpc 2022-11-08 10:44:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691

Note You need to log in before you can comment on or make changes to this bug.