Bug 2096825 - ipa trust-add fails due to a missing SELinux policy for samba-dcerpcd
Summary: ipa trust-add fails due to a missing SELinux policy for samba-dcerpcd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.7
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.7
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 2089955
TreeView+ depends on / blocked
 
Reported: 2022-06-14 11:39 UTC by Varun Mylaraiah
Modified: 2022-11-08 12:21 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.3-104.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-08 10:44:31 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1241 0 None Merged Update samba-dcerpcd policy for kerberos 2022-06-21 14:08:56 UTC
Github fedora-selinux selinux-policy pull 1243 0 None Merged Allow winbind_rpcd_t connect to self over a unix_stream_socket 2022-06-21 14:08:59 UTC
Github fedora-selinux selinux-policy pull 1248 0 None Merged Allow samba-dcerpcd work with sssd 2022-06-21 14:15:46 UTC
Red Hat Bugzilla 2083504 1 high CLOSED samba-dcerpcd and samba rpcd programs need selinux-policy permissions 2022-11-08 12:44:23 UTC
Red Hat Bugzilla 2096521 1 medium CLOSED ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996" 2022-11-15 14:15:58 UTC
Red Hat Issue Tracker RHELPLAN-125208 0 None None None 2022-06-14 11:47:49 UTC
Red Hat Product Errata RHBA-2022:7691 0 None None None 2022-11-08 10:44:46 UTC

Description Varun Mylaraiah 2022-06-14 11:39:55 UTC
Description of problem:
ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996" due to a missing SELinux policy for samba-dcerpcd to access Kerberos configuration, TLS certificates, LDAP, and so on.


Version-Release number of selected component (if applicable):
ipa-server-4.9.8-8.module+el8.7.0+14711+1e093de3.x86_64
selinux-policy-3.14.3-100.el8.noarch
selinux-policy-targeted-3.14.3-100.el8.noarch


[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.7 Beta (Ootpa)

[root@master ~]# setenforce 0
[root@master ~]# audit2allow -b

#============= winbind_rpcd_t ==============
allow winbind_rpcd_t devlog_t:lnk_file read;
allow winbind_rpcd_t krb5_conf_t:file getattr;
allow winbind_rpcd_t proc_net_t:file read;
allow winbind_rpcd_t samba_log_t:dir create;
allow winbind_rpcd_t usermodehelper_t:file read;

[root@master ~]# kinit admin
Password for admin:

[root@master ~]# echo Secret123 | ipa trust-add win2019.test --admin Administrator --password
-----------------------------------------------------
Added Active Directory trust for realm "win2019.test"
-----------------------------------------------------
  Realm name: win2019.test
  Domain NetBIOS name: WIN2019
  Domain Security Identifier: S-1-5-21-776578084-2477431509-2006500417
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified


[root@master ~]# audit2allow -b

#============= init_t ==============
allow init_t winbind_rpcd_t:dbus send_msg;

#============= winbind_rpcd_t ==============
allow winbind_rpcd_t devlog_t:lnk_file read;
allow winbind_rpcd_t devlog_t:sock_file write;
allow winbind_rpcd_t dirsrv_t:unix_stream_socket connectto;
allow winbind_rpcd_t dirsrv_var_run_t:sock_file write;
allow winbind_rpcd_t init_t:dbus send_msg;
allow winbind_rpcd_t kernel_t:unix_dgram_socket sendto;
allow winbind_rpcd_t krb5_conf_t:file { getattr open read };
allow winbind_rpcd_t krb5_keytab_t:dir search;
allow winbind_rpcd_t net_conf_t:file { getattr open read };
allow winbind_rpcd_t proc_net_t:file read;
allow winbind_rpcd_t samba_log_t:dir create;
allow winbind_rpcd_t smbd_var_run_t:file { getattr lock open read };
allow winbind_rpcd_t sssd_public_t:dir read;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow winbind_rpcd_t sssd_public_t:file map;
allow winbind_rpcd_t sssd_public_t:file { getattr open read };
allow winbind_rpcd_t sssd_t:unix_stream_socket connectto;
allow winbind_rpcd_t sssd_var_lib_t:sock_file write;
allow winbind_rpcd_t system_dbusd_t:dbus send_msg;
allow winbind_rpcd_t system_dbusd_t:unix_stream_socket connectto;
allow winbind_rpcd_t system_dbusd_var_run_t:sock_file write;
allow winbind_rpcd_t usermodehelper_t:file { open read };



[root@master ~]# audit2why -b
type=AVC msg=audit(1655197665.455:3125): avc:  denied  { read } for  pid=32926 comm="samba-dcerpcd" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.458:3126): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.458:3127): avc:  denied  { create } for  pid=32927 comm="samba-dcerpcd" name="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3128): avc:  denied  { getattr } for  pid=32927 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3129): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3130): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3131): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3132): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3133): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3134): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3135): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3136): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3137): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3138): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3139): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3140): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3141): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3142): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3143): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.464:3144): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3145): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3146): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3147): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3148): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3149): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3150): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3151): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3152): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3153): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3154): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3155): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3156): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3157): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3158): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3159): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655197665.465:3160): avc:  denied  { read } for  pid=32927 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.268:3166): avc:  denied  { read } for  pid=33292 comm="samba-dcerpcd" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.270:3167): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.270:3168): avc:  denied  { create } for  pid=33293 comm="samba-dcerpcd" name="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3169): avc:  denied  { getattr } for  pid=33293 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3170): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3171): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3172): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3173): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3174): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3175): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3176): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3177): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3178): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3179): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3180): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3181): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3182): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3183): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3184): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.274:3185): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3186): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3187): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3188): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3189): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3190): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3191): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3192): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3193): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3194): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3195): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3196): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3197): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3198): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3199): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3200): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3201): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3202): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205434.275:3203): avc:  denied  { read } for  pid=33293 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.321:3208): avc:  denied  { read } for  pid=33520 comm="samba-dcerpcd" name="unix" dev="proc" ino=4026532055 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.323:3209): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/proc/sys/kernel/core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.323:3209): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="core_pattern" dev="proc" ino=13192 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.323:3210): avc:  denied  { create } for  pid=33521 comm="samba-dcerpcd" name="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3211): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3211): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3212): avc:  denied  { getattr } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3213): avc:  denied  { map } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
	The boolean domain_can_mmap_files was set incorrectly.
	Description:
	Allow domain to can mmap files

	Allow access by executing:
	# setsebool -P domain_can_mmap_files 1
type=AVC msg=audit(1655206265.325:3214): avc:  denied  { connectto } for  pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.325:3214): avc:  denied  { write } for  pid=33521 comm="samba-dcerpcd" name="nss" dev="vda3" ino=17045861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.329:3215): avc:  denied  { connectto } for  pid=33521 comm="samba-dcerpcd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.329:3215): avc:  denied  { write } for  pid=33521 comm="samba-dcerpcd" name="system_bus_socket" dev="tmpfs" ino=22654 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1655206265.330:3216): pid=769 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=33521 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1655206265.331:3217): pid=769 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=33521 tpid=1 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1655206265.332:3218): pid=769 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.362 spid=1 tpid=33521 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.336:3219): avc:  denied  { getattr } for  pid=33521 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.336:3220): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.336:3220): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="krb5.conf" dev="vda3" ino=25166094 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.336:3221): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="krb5.include.d" dev="vda3" ino=614742 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.337:3222): avc:  denied  { getattr } for  pid=33521 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda3" ino=25817632 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.337:3223): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda3" ino=25817632 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.337:3223): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="resolv.conf" dev="vda3" ino=25817632 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3224): avc:  denied  { open } for  pid=33521 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3224): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3225): avc:  denied  { lock } for  pid=33521 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3226): avc:  denied  { getattr } for  pid=33521 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=128227 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3227): avc:  denied  { connectto } for  pid=33521 comm="samba-dcerpcd" path="/run/slapd-IPADOMAIN-TEST.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3227): avc:  denied  { write } for  pid=33521 comm="samba-dcerpcd" name="slapd-IPADOMAIN-TEST.socket" dev="tmpfs" ino=126935 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3228): avc:  denied  { sendto } for  pid=33521 comm="samba-dcerpcd" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3228): avc:  denied  { write } for  pid=33521 comm="samba-dcerpcd" name="dev-log" dev="tmpfs" ino=13418 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.341:3228): avc:  denied  { read } for  pid=33521 comm="samba-dcerpcd" name="log" dev="devtmpfs" ino=13420 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.342:3229): avc:  denied  { search } for  pid=33521 comm="samba-dcerpcd" name="krb5" dev="vda3" ino=25230565 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.717:3230): avc:  denied  { open } for  pid=33533 comm="rpcd_lsad" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.717:3230): avc:  denied  { read } for  pid=33533 comm="rpcd_lsad" name="initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.718:3231): avc:  denied  { getattr } for  pid=33533 comm="rpcd_lsad" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655206265.718:3232): avc:  denied  { map } for  pid=33533 comm="rpcd_lsad" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
	Was caused by:
	The boolean domain_can_mmap_files was set incorrectly.
	Description:
	Allow domain to can mmap files

	Allow access by executing:
	# setsebool -P domain_can_mmap_files 1
type=AVC msg=audit(1655206265.912:3233): avc:  denied  { connectto } for  pid=33537 comm="rpcd_lsad" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Comment 4 Zdenek Pytela 2022-06-21 14:15:47 UTC
List of commits to backport:
88a28fc84 Allow samba-dcerpcd work with sssd
e9ed412d4 Allow winbind_rpcd_t connect to self over a unix_stream_socket
e6584a214 Update samba-dcerpcd policy for kerberos usage

Additional ones are mentioned in bz#2083504.

Comment 10 Zdenek Pytela 2022-06-28 09:24:12 UTC
The test fails because the policy was not complete, needs also
commit 837f63743214363362334e910dcb06d35cd5cb99 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 27 17:22:40 2022 +0200

    Update samba-dcerpcd policy for kerberos usage 2

Comment 11 Zdenek Pytela 2022-06-28 18:34:44 UTC
https://gitlab.cee.redhat.com/SELinux/selinux-policy/-/commit/cd13e4d375d95fcb472eec6692f7b1b372f4e804?merge_request_iid=595
commit cd13e4d375d95fcb472eec6692f7b1b372f4e804 (HEAD -> rhel8.7-contrib, upstream/rhel8.7-contrib, origin/rhel8.7-contrib)
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 27 17:22:40 2022 +0200

    Update samba-dcerpcd policy for kerberos usage 2

    These additional permissions were added:
    - read kerberos key tables
    - read generic SSL certificates

    Resolves: rhbz#2096825

Comment 18 errata-xmlrpc 2022-11-08 10:44:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691


Note You need to log in before you can comment on or make changes to this bug.