SELinux, Samba, & Winbind

Hello list, I am trying to set up basic Samba/Winbind on a RHEL5.2 server. But every time I try to do anything - join a domain, run a test join, change configuration settings, basically anything that calls any object related to Samba or Winbind - SELinux blocks it. Disabling protection for the winbind daemon in the boolean settings changes SELinux to blocking /var/run/winbindd/pipe instead. I've run restorecon where possible, and done a full relabel of the whole system, multiple times. Nothing changes. I haven't moved any system files and I'm following the official Samba setup documentation. I'm utterly at a loss. Something must be broken because I can't imagine a default SELinux policy that blocks all Samba/Winbind activity would have made it past RHEL5's quality control. But I can't figure out what it is. Please help! Thanks in advance, -Alisha _____________________________________ [root@myhost ~]# net ads testjoin [2010/07/21 18:28:39.357159, 0] libads/kerberos.c:915(create_local_private_krb5_conf_for_domain) create_local_private_krb5_conf_for_domain: failed to create directory /var/lib/samba/smb_krb5. Error was Permission denied [2010/07/21 18:28:39.359054, 0] libads/kerberos.c:915(create_local_private_krb5_conf_for_domain) create_local_private_krb5_conf_for_domain: failed to create directory /var/lib/samba/smb_krb5. Error was Permission denied Join is OK _____________________________________ Summary: SELinux is preventing the net from using potentially mislabeled files (/tmp/.winbindd). Detailed Description SELinux has denied net access to potentially mislabeled file(s) (/tmp/.winbindd). This means that SELinux will not allow net to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want net to access this files, you need to relabel them using restorecon -v '/tmp/.winbindd'. You might want to relabel the entire directory using restorecon -R -v '/tmp/.winbindd'. Additional Information Source Context: root:system_r:samba_net_t:SystemLow-SystemHighTarget Context: system_u:object_r:winbind_tmp_t Target Objects: /tmp/.winbindd [ dir ] Source: net Source Path: /usr/bin/net Port: <Unknown> Host: <my-hostname> Source RPM Packages: samba3-client-3.5.4-43.el5 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-137.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: home_tmp_bad_labels Host Name: <my-hostname> Platform: Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686 Alert Count: 24 First Seen: Wed 21 Jul 2010 05:56:30 PM GMT Last Seen: Wed 21 Jul 2010 06:08:40 PM GMT Local ID: 0c95a6b7-9a92-4950-bb1d-9b74686685ea Line Numbers: Raw Audit Messages : host=<my-hostname> type=AVC msg=audit(1279735720.83:120): avc: denied { getattr } for pid=7064 comm="net" path="/tmp/.winbindd" dev=sda3 ino=1166126 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:winbind_tmp_t:s0 tclass=dir host=<my-hostname> type=SYSCALL msg=audit(1279735720.83:120): arch=40000003 syscall=196 success=no exit=-13 a0=2ae6b6 a1=bfa92f0c a2=cabff4 a3=2ae6b6 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) ______________________________________ Summary: SELinux is preventing net (samba_net_t) "read" to ./filesystems (proc_t). Detailed Description: SELinux denied access requested by net. It is not expected that this access is required by net and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./filesystems, restorecon -v './filesystems' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:samba_net_t:SystemLow-SystemHigh Target Context system_u:object_r:proc_t Target Objects ./filesystems [ file ] Source net Source Path /usr/bin/net Port <Unknown> Host <my-hostname> Source RPM Packages samba3-client-3.5.4-43.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name <my-hostname> Platform Linux <my-hostname> 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686 Alert Count 12 First Seen Wed 21 Jul 2010 05:56:30 PM GMT Last Seen Wed 21 Jul 2010 06:08:39 PM GMT Local ID 1f71cc35-0ccc-4104-8c99-5158849a8cb1 Line Numbers Raw Audit Messages host=<my-hostname> type=AVC msg=audit(1279735719.957:114): avc: denied { read } for pid=7064 comm="net" name="filesystems" dev=proc ino=-268435452 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file host=<my-hostname> type=SYSCALL msg=audit(1279735719.957:114): arch=40000003 syscall=5 success=no exit=-13 a0=ab1390 a1=8000 a2=0 a3=8000 items=0 ppid=6357 pid=7064 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) _____________________________________