Alexander tells me these have been addressed in F-18 policy. Can these be ported to RHEL?

We don't have

/var/run/samba(/.*)?            gen_context(system_u:object_r:smbd_var_run_t,s0)

in RHEL6.4.

type=AVC msg=audit(1351689249.096:44391): avc:  denied  { write } for  pid=7035 comm="krb5kdc" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3654 scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file

is fixed in another bug.

I tried the updated rpms but, I still see the smb/winbind (at least) errors.

[root@rhel6-1 yum.local.d]#  rpm -qa|grep selinux-policy
selinux-policy-3.7.19-177.el6.noarch
selinux-policy-targeted-3.7.19-177.el6.noarch

So, Miroslav,  Are you saying the /var/run/samba rule is new and should be added by something else?

Thanks,
Scott

Created attachment 915509 [details]
Comment

(This comment was longer than 65,535 characters and has been moved to an attachment by Red Hat Bugzilla).

I apologize I did not add a fix to this release. you can test it using


# chcon -Rt smbd_var_run_t /var/run/samba

Ok, so you're planning on fixing that in a different version?   

That fixed the file read/write/etc issue but, looks like there are still a lot of socket related ones:

time->Wed Oct 31 21:53:11 2012
type=SYSCALL msg=audit(1351734791.246:54002): arch=c000003e syscall=49 success=no exit=-13 a0=9 a1=7fffaaedee60 a2=1c a3=7fffaaedee5c items=0 ppid=19404 pid=19425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=338 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1351734791.246:54002): avc:  denied  { name_bind } for  pid=19425 comm="smbd" src=1300 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----

And there is also this winbind one too still:

type=SYSCALL msg=audit(1351734791.381:54003): arch=c000003e syscall=6 success=no exit=-13 a0=327e6266fb a1=7fff4e137300 a2=7fff4e137300 a3=7fff4e137080 items=0 ppid=1 pid=19432 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=338 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1351734791.381:54003): avc:  denied  { search } for  pid=19432 comm="winbindd" name="samba" dev=dm-0 ino=142202 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=dir

Reruning the ipa trust-add, it shows many of the same winbind one above too.

Thanks,
Scott

Yes, it is going to be fixed in the next release.

Why is smbd using tcp/1300?

Is this by default?

I'm not sure.  I'll have to get input from the developers on that one.  That's not something I selected.  In fact, looking closer at the AVCs, it's trying to cycle through a large number of ports from 1024 to 1300 at least.  Let me see if I can track down someone that can comment on that one.

Thanks,
Scott

I think I commented already but somebody dropped my comment.

This is expected behavior because we run smbd in LSA RPC portmapper mode. It takes ports out of non-privileged space.

Seems like it would need a boolean for this. Samba could bind to any tcp port > 024?

Btw, we dealt with this in Fedora 17 cycle already. In an email discussion around mid March you (Daniel) did mentioned boolean samba_portmapper that would cover this case.

Alexander,
you are right. Will backport.

Could you test it with

selinux-policy-3.7.19-178.el6

https://brewweb.devel.redhat.com/buildinfo?buildID=241470

Ok, I can see the samba_portmapper boolean.  When I turn that on, set SELinux to Enforcing and restart IPA, I see FAR FEWER AVC denials.

This is what's left:
*************************************
AVCs for smb accessing /var/lib/sss/mc/passwd
*************************************
----
time->Thu Nov  1 17:00:19 2012
type=SYSCALL msg=audit(1351803619.291:29145): arch=c000003e syscall=2 success=no exit=-13 a0=1f414d0 a1=80000 a2=0 a3=7fff908a39f0 items=0 ppid=1 pid=29949 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=507 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1351803619.291:29145): avc:  denied  { read } for  pid=29949 comm="smbd" name="passwd" dev=dm-0 ino=6486 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
----
time->Thu Nov  1 17:00:19 2012
type=SYSCALL msg=audit(1351803619.293:29146): arch=c000003e syscall=2 success=no exit=-13 a0=1f414d0 a1=80000 a2=0 a3=17 items=0 ppid=1 pid=29949 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=507 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1351803619.293:29146): avc:  denied  { read } for  pid=29949 comm="smbd" name="passwd" dev=dm-0 ino=6486 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
----
time->Thu Nov  1 17:00:19 2012
type=SYSCALL msg=audit(1351803619.294:29147): arch=c000003e syscall=2 success=no exit=-13 a0=1f414d0 a1=80000 a2=0 a3=17 items=0 ppid=1 pid=29949 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=507 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1351803619.294:29147): avc:  denied  { read } for  pid=29949 comm="smbd" name="passwd" dev=dm-0 ino=6486 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file



*************************************
AVCs for accessing /var/cache/samba/netsamlogon_cache.tdb
*************************************
----
time->Thu Nov  1 17:00:19 2012
type=SYSCALL msg=audit(1351803619.528:29148): arch=c000003e syscall=2 success=no exit=-13 a0=2101180 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=1 pid=29976 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=507 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1351803619.528:29148): avc:  denied  { read write } for  pid=29976 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=6676 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Thu Nov  1 17:00:19 2012
type=SYSCALL msg=audit(1351803619.528:29149): arch=c000003e syscall=76 success=no exit=-13 a0=2101180 a1=0 a2=2102890 a3=7fffb56c98e0 items=0 ppid=1 pid=29976 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=507 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1351803619.528:29149): avc:  denied  { write } for  pid=29976 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=6676 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Thu Nov  1 17:00:19 2012
type=SYSCALL msg=audit(1351803619.529:29150): arch=c000003e syscall=2 success=no exit=-13 a0=2101180 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=1 pid=29976 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=507 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1351803619.529:29150): avc:  denied  { read write } for  pid=29976 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=6676 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


*************************************
AVCs for winbind socket create
*************************************
----
time->Thu Nov  1 17:00:19 2012
type=SYSCALL msg=audit(1351803619.530:29151): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7fffb56c9b40 a2=6e a3=7fffb56c9820 items=0 ppid=1 pid=29976 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=507 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1351803619.530:29151): avc:  denied  { create } for  pid=29976 comm="winbindd" name="pipe" scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:smbd_var_run_t:s0 tclass=sock_file


So, can those be fixed?

Thanks.

Ok, these are different.

# matchpathcon /var/cache/samba
/var/cache/samba	system_u:object_r:samba_var_t:s0

So you this directory is mislabeled. 

# rpm -qf /var/cache/samba

# restorecon -R -v /var/cache/samba

Also there was a bug with /var/lib/sss/mc labeling which has been fixed in the latest build. Switching back to ON_QA.

[root@ratchet audit]# rpm -qa | grep selinux-policy
selinux-policy-3.7.19-179.el6.noarch
selinux-policy-targeted-3.7.19-179.el6.noarch

[root@ratchet ~]# ipa-adtrust-install

[root@ratchet ~]# ipactl restart

[root@ratchet ~]# ipa trust-add --type=ad adlab.qe --admin Administrator --password

[root@ratchet audit]# ausearch -m avc -ts 15:00
----
time->Wed Nov  7 15:22:30 2012
type=SYSCALL msg=audit(1352319750.736:1350): arch=c000003e syscall=2 success=no exit=-13 a0=171fc70 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=1 pid=29326 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352319750.736:1350): avc:  denied  { read write } for  pid=29326 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:22:30 2012
type=SYSCALL msg=audit(1352319750.736:1351): arch=c000003e syscall=76 success=no exit=-13 a0=171fc70 a1=0 a2=171fd10 a3=7fffcd103780 items=0 ppid=1 pid=29326 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352319750.736:1351): avc:  denied  { write } for  pid=29326 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:22:30 2012
type=SYSCALL msg=audit(1352319750.736:1352): arch=c000003e syscall=2 success=no exit=-13 a0=171fc70 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=1 pid=29326 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352319750.736:1352): avc:  denied  { read write } for  pid=29326 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:25:43 2012
type=SYSCALL msg=audit(1352319943.475:1354): arch=c000003e syscall=76 success=no exit=-13 a0=2037c70 a1=0 a2=2037d10 a3=7fffcba0f3b0 items=0 ppid=1 pid=29665 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352319943.475:1354): avc:  denied  { write } for  pid=29665 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:25:43 2012
type=SYSCALL msg=audit(1352319943.475:1355): arch=c000003e syscall=2 success=no exit=-13 a0=2037c70 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=1 pid=29665 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352319943.475:1355): avc:  denied  { read write } for  pid=29665 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:25:43 2012
type=SYSCALL msg=audit(1352319943.474:1353): arch=c000003e syscall=2 success=no exit=-13 a0=2037c70 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=1 pid=29665 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352319943.474:1353): avc:  denied  { read write } for  pid=29665 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:34:02 2012
type=SYSCALL msg=audit(1352320442.635:1394): arch=c000003e syscall=2 success=no exit=-13 a0=8dcc70 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=1 pid=30877 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352320442.635:1394): avc:  denied  { read write } for  pid=30877 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:34:02 2012
type=SYSCALL msg=audit(1352320442.636:1395): arch=c000003e syscall=76 success=no exit=-13 a0=8dcc70 a1=0 a2=8dcd10 a3=7fff9849d6c0 items=0 ppid=1 pid=30877 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352320442.636:1395): avc:  denied  { write } for  pid=30877 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:34:02 2012
type=SYSCALL msg=audit(1352320442.636:1396): arch=c000003e syscall=2 success=no exit=-13 a0=8dcc70 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=1 pid=30877 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352320442.636:1396): avc:  denied  { read write } for  pid=30877 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:34:58 2012
type=SYSCALL msg=audit(1352320498.120:1398): arch=c000003e syscall=2 success=no exit=-13 a0=21bf0b0 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=30851 pid=30978 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1352320498.120:1398): avc:  denied  { read write } for  pid=30978 comm="smbd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:34:58 2012
type=SYSCALL msg=audit(1352320498.121:1399): arch=c000003e syscall=76 success=no exit=-13 a0=21bf0b0 a1=0 a2=21c6b00 a3=7fff56901bf0 items=0 ppid=30851 pid=30978 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1352320498.121:1399): avc:  denied  { write } for  pid=30978 comm="smbd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:34:58 2012
type=SYSCALL msg=audit(1352320498.121:1400): arch=c000003e syscall=2 success=no exit=-13 a0=21bf0b0 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=30851 pid=30978 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=142 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1352320498.121:1400): avc:  denied  { read write } for  pid=30978 comm="smbd" name="netsamlogon_cache.tdb" dev=dm-0 ino=273996 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Wed Nov  7 15:34:57 2012
type=SYSCALL msg=audit(1352320497.464:1397): arch=c000003e syscall=21 success=no exit=-13 a0=7faa0ab1a110 a1=4 a2=7faa0ab1a11e a3=ffffffffffffff00 items=0 ppid=30348 pid=30492 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=142 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1352320497.464:1397): avc:  denied  { read } for  pid=30492 comm="httpd" name="unix" dev=proc ino=4026532007 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Where is netsamlogon_cache.tdb located, it looks like it is mislabeled?

Does

restorecon -R -v /var

Fix any labeles.

It's in /var/cache/samba.

Yes, it does fix many labels for me. Testing again:

# setsebool samba_portmap=on

# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Starting dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
Restarting ADTRUST Service
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Restarting EXTID Service

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]

# ausearch -m avc -ts 13:46
<no matches>


So, the ipactl stuff appears to be fixed.

Testing ipa trust-add though I do see one last AVC:

# ausearch -m avc -ts 13:46
----
time->Wed Nov  7 13:49:08 2012
type=SYSCALL msg=audit(1352314148.841:21576): arch=c000003e syscall=21 success=yes exit=0 a0=7ff60becffa0 a1=4 a2=7ff60becffae a3=ffffffffffffff00 items=0 ppid=24739 pid=24883 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=679 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1352314148.841:21576): avc:  denied  { read } for  pid=24883 comm="httpd" name="unix" dev=proc ino=4026532007 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

That is allowed in Fedora, so it should be back ported.

Ok, any idea when it'll hit rhel64 repos?

Thanks

On a fresh install, I see this for ipa-adtrust-install when it tries to start winbind:

[root@rhel6-1 ~]# ausearch -m avc
----
time->Tue Nov 13 10:36:30 2012
type=SYSCALL msg=audit(1352820990.923:15077): arch=c000003e syscall=83 success=no exit=-13 a0=101c250 a1=1ed a2=ffffffff a3=61 items=0 ppid=1 pid=5987 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352820990.923:15077): avc:  denied  { write } for  pid=5987 comm="winbindd" name="cache" dev=dm-0 ino=129287 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
----
time->Tue Nov 13 10:36:31 2012
type=SYSCALL msg=audit(1352820991.221:15078): arch=c000003e syscall=83 success=no exit=-13 a0=7f0ebb4636fb a1=1ed a2=ffffffffffffff88 a3=7fffa084e0d0 items=0 ppid=1 pid=5987 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1352820991.221:15078): avc:  denied  { create } for  pid=5987 comm="winbindd" name="winbindd" scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:smbd_var_run_t:s0 tclass=dir

[root@rhel6-1 ~]# find /var -inum 129287
/var/cache

[root@rhel6-1 ~]# ps -ef|grep winbind
root      6010  1419  0 10:37 pts/0    00:00:00 grep winbind

Can this be fixed and the httpd/unix one make it in time for the RHEL6.4 beta release?

Thanks,
Scott

I believe this version now covers IPA and Trust related AVCs.  After a fresh install of IPA and adding a trust, I no longer see any AVC denials.

[root@rhel6-1 ~]# ausearch -m avc
<no matches>

Retesting full IPA install and trust setup:

Hmm..Well, I'm again seeing the AVC from comment #25 on a fresh install so something is missing.  Looks like winbind needs write to /var/cache to create /var/cache/samba.  More details below.  

Version:

selinux-policy-3.7.19-183.el6.noarch

Manual Test Results ::

[root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD \
>   --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW \
>   --ip-address=$ipaddr -P $ADMINPW -a $ADMINPW -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host rhel6-1.testrelm.com
Using reverse zone 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      rhel6-1.testrelm.com
IP address:    192.168.122.61
Domain name:   testrelm.com
Realm name:    TESTRELM.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone:  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/37]: creating directory server user
  [2/37]: creating directory server instance
  [3/37]: adding default schema
  [4/37]: enabling memberof plugin
  [5/37]: enabling winsync plugin
  [6/37]: configuring replication version plugin
  [7/37]: enabling IPA enrollment plugin
  [8/37]: enabling ldapi
  [9/37]: disabling betxn plugins
  [10/37]: configuring uniqueness plugin
  [11/37]: configuring uuid plugin
  [12/37]: configuring modrdn plugin
  [13/37]: enabling entryUSN plugin
  [14/37]: configuring lockout plugin
  [15/37]: creating indices
  [16/37]: enabling referential integrity plugin
  [17/37]: configuring ssl for ds instance
  [18/37]: configuring certmap.conf
  [19/37]: configure autobind for root
  [20/37]: configure new location for managed entries
  [21/37]: restarting directory server
  [22/37]: adding default layout
  [23/37]: adding delegation layout
  [24/37]: adding replication acis
  [25/37]: creating container for managed entries
  [26/37]: configuring user private groups
  [27/37]: configuring netgroups from hostgroups
  [28/37]: creating default Sudo bind user
  [29/37]: creating default Auto Member layout
  [30/37]: adding range check plugin
  [31/37]: creating default HBAC rule allow_all
  [32/37]: initializing group membership
  [33/37]: adding master entry
  [34/37]: configuring Posix uid/gid generation
  [35/37]: enabling compatibility plugin
  [36/37]: tuning directory server
  [37/37]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: disabling mod_ssl in httpd
  [2/14]: setting mod_nss port to 443
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

[root@rhel6-1 ~]# chkconfig iptables off

[root@rhel6-1 ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

[root@rhel6-1 ~]# chkconfig ip6tables off

[root@rhel6-1 ~]# service ip6tables stop
ip6tables: Flushing firewall rules:                        [  OK  ]
ip6tables: Setting chains to policy ACCEPT: filter         [  OK  ]
ip6tables: Unloading modules:                              [  OK  ]

[root@rhel6-1 ~]# ausearch -m avc
<no matches>

[root@rhel6-1 ~]# ipa-adtrust-install --netbios-name=$(echo $RELM|cut -f1 -d.) \
>   -a $ADMINPW -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring CIFS
  [1/18]: stopping smbd
  [2/18]: creating samba domain object
  [3/18]: creating samba config registry
  [4/18]: writing samba config file
  [5/18]: adding cifs Kerberos principal
  [6/18]: adding cifs principal to S4U2Proxy targets
  [7/18]: adding admin(group) SIDs
  [8/18]: adding RID bases
  [9/18]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [10/18]: activating CLDAP plugin
  [11/18]: activating sidgen plugin and task
  [12/18]: activating extdom plugin
  [13/18]: configuring smbd to start on boot
  [14/18]: adding special DNS service records
  [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [16/18]: adding fallback group
  [17/18]: setting SELinux booleans
  [18/18]: starting CIFS services
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
	TCP Ports:
	  * 389, 636: LDAP/LDAPS

You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.

=============================================================================

[root@rhel6-1 ~]# ausearch -m avc
----
time->Thu Dec  6 14:31:39 2012
type=SYSCALL msg=audit(1354822299.522:15235): arch=c000003e syscall=83 success=no exit=-13 a0=1498250 a1=1ed a2=ffffffff a3=61 items=0 ppid=1 pid=27916 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1354822299.522:15235): avc:  denied  { write } for  pid=27916 comm="winbindd" name="cache" dev=dm-0 ino=16 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir


[root@rhel6-1 ~]# find /var -inum 16
/var/cache

[root@rhel6-1 ~]# ls /var/cache
abrt-di  fontconfig  hald  ipa  krb5rcache  ldconfig  man  mod_proxy  rpcbind  tomcat6  yum

[root@rhel6-1 ~]# ps -ef|grep winb
root     27916     1  0 14:31 ?        00:00:00 winbindd
root     27927 27916  0 14:31 ?        00:00:00 winbindd
root     27929 27916  0 14:31 ?        00:00:00 winbindd
root     27930 27916  0 14:31 ?        00:00:00 winbindd
root     27948  1481  0 14:33 pts/0    00:00:00 grep winb

[root@rhel6-1 ~]# restorecon -R -v /var
restorecon reset /var/run/pki-ca.pid context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:pki_ca_var_run_t:s0

[root@rhel6-1 ~]# sesearch -s winbind_t -t var_t --allow -p write

[root@rhel6-1 ~]# 

Now, checking what's going on there:
[root@rhel6-1 ~]# setenforce 0
[root@rhel6-1 ~]# service winbind restart

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]
[root@rhel6-1 ~]# ausearch -m avc
<snip>
----
time->Thu Dec  6 14:43:32 2012
type=SYSCALL msg=audit(1354823012.881:15247): arch=c000003e syscall=5 success=yes exit=0 a0=f a1=7fffe2379300 a2=7fffe2379300 a3=0 items=0 ppid=1 pid=28012 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1354823012.881:15247): avc:  denied  { getattr } for  pid=28012 comm="winbindd" path="/var/cache/samba/netsamlogon_cache.tdb" dev=dm-0 ino=41937 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
</snip>

[root@rhel6-1 ~]# ls -ld /var/cache/*
drwxrwxr-x.  2 abrt      abrt      4096 Oct 18 16:08 /var/cache/abrt-di
drwxr-xr-x.  2 root      root      4096 Dec  6 10:20 /var/cache/fontconfig
drwx------.  2 haldaemon haldaemon 4096 Dec  6 10:27 /var/cache/hald
drwxr-xr-x.  3 root      root      4096 Dec  6 11:41 /var/cache/ipa
drwxr-xr-x.  2 root      root      4096 Nov 28 13:44 /var/cache/krb5rcache
drwx------.  2 root      root      4096 Dec  6 11:42 /var/cache/ldconfig
drwxr-xr-x. 14 root      root      4096 Dec  6 11:42 /var/cache/man
drwx------.  2 apache    apache    4096 Dec  3 09:20 /var/cache/mod_proxy
drwx------.  2 rpc       rpc       4096 Oct 23 11:19 /var/cache/rpcbind
drwxr-xr-x.  2 root      root      4096 Dec  6 14:43 /var/cache/samba
drwxrwxr-x.  4 root      tomcat    4096 Dec  6 11:40 /var/cache/tomcat6
drwxr-xr-x.  3 root      root      4096 Dec  6 11:30 /var/cache/yum

[root@rhel6-1 ~]# rpm -qf /var/cache/samba
file /var/cache/samba is not owned by any package
[root@rhel6-1 ~]# 

So, winbind service needs write to /var/cache to be able to create /var/cache/samba?

Is this something that can be fixed?

Also, after ipactl restart:


[root@rhel6-1 ~]# ausearch -m avc -ts 14:46
----
time->Thu Dec  6 14:47:43 2012
type=SYSCALL msg=audit(1354823263.022:15256): arch=c000003e syscall=2 success=yes exit=15 a0=24d3b70 a1=42 a2=180 a3=6361635f6e6f676f items=0 ppid=1 pid=28888 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1354823263.022:15256): avc:  denied  { open } for  pid=28888 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=41937 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1354823263.022:15256): avc:  denied  { read write } for  pid=28888 comm="winbindd" name="netsamlogon_cache.tdb" dev=dm-0 ino=41937 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Thu Dec  6 14:47:43 2012
type=SYSCALL msg=audit(1354823263.023:15257): arch=c000003e syscall=72 success=yes exit=0 a0=f a1=7 a2=7fffea31cd00 a3=c items=0 ppid=1 pid=28888 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1354823263.023:15257): avc:  denied  { lock } for  pid=28888 comm="winbindd" path="/var/cache/samba/netsamlogon_cache.tdb" dev=dm-0 ino=41937 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
----
time->Thu Dec  6 14:47:43 2012
type=SYSCALL msg=audit(1354823263.023:15258): arch=c000003e syscall=5 success=yes exit=0 a0=f a1=7fffea31cde0 a2=7fffea31cde0 a3=c items=0 ppid=1 pid=28888 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1354823263.023:15258): avc:  denied  { getattr } for  pid=28888 comm="winbindd" path="/var/cache/samba/netsamlogon_cache.tdb" dev=dm-0 ino=41937 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

[root@rhel6-1 ~]# find /var -inum 41937
/var/cache/samba/netsamlogon_cache.tdb

[root@rhel6-1 ~]# matchpathcon /var/cache/samba/netsamlogon_cache.tdb
/var/cache/samba/netsamlogon_cache.tdb	system_u:object_r:samba_var_t:s0

[root@rhel6-1 ~]# ls -lZ /var/cache/samba/netsamlogon_cache.tdb

-rw-------. root root unconfined_u:object_r:var_t:s0   /var/cache/samba/netsamlogon_cache.tdb

[root@rhel6-1 ~]# restorecon -R -v /var
restorecon reset /var/run/pki-ca.pid context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:pki_ca_var_run_t:s0
restorecon reset /var/cache/samba context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:samba_var_t:s0
restorecon reset /var/cache/samba/netsamlogon_cache.tdb context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:samba_var_t:s0

I'm guessing just a side effect of previous issue where /var/cache/samba wasn't created properly?

in any case, we'll need this fixed too if possible.

Thanks

Who is creating /var/cache/samba?  If this is an init script it needs a restorecon in it.

I'm not sure.  I don't see it in the init scripts though.   Testing quick it looks like the pid mentioned in the AVC message is the winbindd daemon itself.

A restorecon would fix that last issue from comment #30 right?  But what about the /var/cache write one from comment #29?

Thanks

Scott,
so you are getting this avc also with fixed labeling for /var/cache/samba?

Which avc?  The /var/cache write one?  or, the /var/cache/samba/netsamlogon_cache.tdb ones?

I'm wondering if the latter is just a result of how winbindd created /var/cache/samba?  somehow it created it so it had the wrong label.  That's possible right?  Depending on how the directory was created?

But, that still leaves the issue of how /var/cache/samba is created right?

Samba creates all needed directories if they don't exist. If it is unable to create them it only means SELinux policy forbids to create those.

Can we fix the policy so that smbd and winbindd creating /var/cache/samba will get samba_var_t?

Alex, I believe it does, or it would block it if they were started in enforcing mode.  Since neither of them are allowed to create the directory as var_t.

Can someone try to generate this in enforcing mode.

rm -rf /var/cache/samba

And see if the directory gets created with the correct label. or gets denied creating it.

Daniel,

My output from comment #29 was done in enforcing mode (before I changed it to permissive).  At least I'm pretty sure it was.  To be certain though, I retested and the directory does not get created in enforcing mode:

[root@rhel6-2 ~]# getenforce
Enforcing

[root@rhel6-2 ~]# ausearch -m avc
<no matches>

[root@rhel6-2 ~]# ipa-adtrust-install --netbios-name=$(echo $RELM|cut -f1 -d.) \
>   -a $ADMINPW -U
<normal output removed.../>

[root@rhel6-2 ~]# getenforce 
Enforcing

[root@rhel6-2 ~]# ausearch -m avc
----
time->Thu Dec  6 12:00:59 2012
type=SYSCALL msg=audit(1354816859.347:1577): arch=c000003e syscall=83 success=no exit=-13 a0=268bc10 a1=1ed a2=ffffffff a3=61 items=0 ppid=1 pid=5491 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=241 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1354816859.347:1577): avc:  denied  { write } for  pid=5491 comm="winbindd" name="cache" dev=dm-0 ino=21 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

[root@rhel6-2 ~]# ls -ld /var/cache/samba
ls: cannot access /var/cache/samba: No such file or directory

And a quick test restarting:

[root@rhel6-2 ~]# service winbind status
winbindd (pid  5491) is running...

[root@rhel6-2 ~]# service winbind restart

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]

[root@rhel6-2 ~]# ls -ld /var/cache/samba
ls: cannot access /var/cache/samba: No such file or directory

[root@rhel6-2 ~]# date
Thu Dec  6 12:04:15 CST 2012

[root@rhel6-2 ~]# ausearch -m avc -ts 12:03
----
time->Thu Dec  6 12:04:01 2012
type=SYSCALL msg=audit(1354817041.598:1584): arch=c000003e syscall=83 success=no exit=-13 a0=12c9c10 a1=1ed a2=ffffffff a3=61 items=0 ppid=1 pid=5569 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=241 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)
type=AVC msg=audit(1354817041.598:1584): avc:  denied  { write } for  pid=5569 comm="winbindd" name="cache" dev=dm-0 ino=21 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

Does that help?

selinux-policy-3.7.19-192.el6 contains allow rules you need:

# matchpathcon /var/cache/samba
/var/cache/samba	system_u:object_r:samba_var_t:s0
# sesearch -s winbind_t -t samba_var_t -c dir -p write --allow -C
Found 1 semantic av rules:
   allow winbind_t samba_var_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 

#

Please do not forget to run following command before you start the IPA testing:
# restorecon -Rv /var

well that seems to have cleared up the winbindd/samba stuff that was obvious but, now I'm seeing a java/pki related denial:

[root@rhel6-4 ipa-upgrade]# date
Tue Jan 15 13:14:11 CST 2013

[root@rhel6-4 ipa-upgrade]# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Starting dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
Restarting ADTRUST Service
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
Restarting EXTID Service

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]

[root@rhel6-4 ipa-upgrade]# ausearch -m avc -ts 13:14
----
time->Tue Jan 15 13:15:05 2013
type=SYSCALL msg=audit(1358277305.697:7079): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=200000 a2=3 a3=40022 items=0 ppid=1 pid=26102 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1358277305.697:7079): avc:  denied  { read } for  pid=26102 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev=hugetlbfs ino=92896 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file

----
time->Tue Jan 15 13:15:05 2013
type=SYSCALL msg=audit(1358277305.792:7080): arch=c000003e syscall=137 success=no exit=-13 a0=7f7de0a94ab0 a1=7f7de0fa5dc0 a2=fffffffffff5c9e0 a3=7f7de0fa5cd0 items=0 ppid=1 pid=26102 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1358277305.792:7080): avc:  denied  { getattr } for  pid=26102 comm="java" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

[root@rhel6-4 ipa-upgrade]# getenforce
Enforcing

I do see the same thing if I just run:

service pki-cad restart so I'm guessing it's dogtag/pki related?

Should I open that as a separate bug?

opening that as a separate bug for PKI to handle since it's separate in RHEL6.4 still.

Thanks

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html