selinux-policy/backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch

From 495539633271d0e187e221dec061e122812cb5c2 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 5 Aug 2022 17:30:47 +0200
Subject: [PATCH] Allow winbind-rpcd write to winbind pid files

Addresses the following AVC denial:

type=AVC msg=audit(1658286623.868:2435): avc:  denied  { write } for  pid=6219 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1
---
 policy/modules/contrib/samba.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index d64ba6e569..82ba1abf64 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1176,6 +1176,7 @@ allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
 
 read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
 
+write_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t)
 write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t)
 
 manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)