Hi, I was wondering if winbind package has a default policy included in Fedora 27? In permissive mode it works as below: winbind.service - Samba Winbind Daemon Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2017-10-03 08:16:09 CDT; 5h 17min ago Main PID: 1009 (winbindd) Status: "winbindd: ready to serve connections..." Tasks: 4 (limit: 4915) CGroup: /system.slice/winbind.service ├─1009 /usr/sbin/winbindd ├─1010 /usr/sbin/winbindd ├─1066 /usr/sbin/winbindd └─1068 /usr/sbin/winbindd But in Enforcing Mode does not: [root@fedmember1 ~]# systemctl stop winbind [root@fedmember1 ~]# setenforce 1 [root@fedmember1 ~]# systemctl start winbind Job for winbind.service failed because the control process exited with error code. See "systemctl status winbind.service" and "journalctl -xe" for details. Oct 03 08:07:20 fedmember1 winbindd[685]: tdb(/var/lib/samba/private/netlogon_creds_cli.tdb): tdb_open_ex: tdb_new_database failed for /var/lib/samba/private/netlogon_creds_cli.tdb: Permission denied Oct 03 08:07:20 fedmember1 winbindd[685]: [2017/10/03 08:07:20.664239, 0] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685 comm="winbindd" path="/var/lib/samba/private/netlogon_creds_cli.tdb" dev="dm-0" ino=137059 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0 Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685 comm="winbindd" path="/var/lib/samba/private/secrets.tdb" dev="dm-0" ino=137051 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0 Oct 03 08:07:20 fedmember1 audit[685]: AVC avc: denied { map } for pid=685 comm="winbindd" path="/var/lib/samba/lock/names.tdb" dev="dm-0" ino=137022 scontext=system_u:system_r:winbind_t:s0 tcontext=unconfined_u:object_r:samba_var_t:s0 tclass=file permissive=0 Any hints are welcome how to fix it Thank you Lin _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx