Description of problem: net (from samba-common package) can't write to /etc/samba/secrets.tdb if it has selinux type samba_etc_t instead of a samba_secrets_t. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-137.el5 How reproducible: always Steps to Reproduce: setup samba as a domain member mv /etc/samba/secrets.{tdb,tdb-backup} smbpasswd -a root #after this the file should be recreated as samba_etc_t net rpc join -Uadministrator%password Actual results: - join fails, " Failed to open /etc/samba/secrets.tdb" is logged by net command - avc log: type=AVC msg=audit(1218619830.312:196): avc: denied { write } for pid=26555 comm="net" name="secrets.tdb" dev=sda3 ino=8060986 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=root:object_r:samba_etc_t:s0 tclass=file type=SYSCALL msg=audit(1218619830.312:196): arch=40000003 syscall=5 success=no exit=-13 a0=bff0ecd8 a1=8042 a2=180 a3=8042 items=0 ppid=3022 pid=26555 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1218619830.338:197): avc: denied { write } for pid=26555 comm="net" name="secrets.tdb" dev=sda3 ino=8060986 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=root:object_r:samba_etc_t:s0 tclass=file type=SYSCALL msg=audit(1218619830.338:197): arch=40000003 syscall=5 success=no exit=-13 a0=bff0e988 a1=8042 a2=180 a3=8042 items=0 ppid=3022 pid=26555 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) Expected results: successfull domain join Additional info:
This is a labeling problem restorecon -R -v /etc/samba should fix. This file was moved to a different directory in newver versions of samba, So it should get labeled correctly in the future.