On Tue, May 25, 2010 at 08:52:58PM -0400, Ross Walker wrote: > Selinux alerts are in /var/log/audit/audit.log Thank you for that. Cryptic, but there it is. > The problem is if smbd doesn't create the messages.tdb file then it > won't have the selinux rights. I don't follow you. What else could have ever created the messages.tbd file? These were virgin OS installs. Whatever's in /var/cache/samba, at the time that smbd wouldn't run - which is right of the bat or at least as soon as it mattered to us, after our config was in place - is there only because either the CentOS install, or samba itself in trying to start it from /etc/init.d/smb, put it there. What else could have ever created messages.tbd than smbd? If selinux's real complaint is that it doesn't like the files in /etc/samba being copied in from another system, that would make some sense - except that I'm not finding any mention of any of those files in the audit logs. And that still doesn't say why it starts having a problem with /var/cache/samba/messages.tbd. Does it? > That file can be deleted and will be recreated on smbd start, it's > just a cache file. So in theory if I'd nuked that file smbd would have been happy? Then why was it also happy with "sh /etc/init.d/smb start" but not "/etc/init.d/smb start". I'm happy to become more educated on this. But if invoking a major daemon startup that selinux wants to block is as easy as that, selinux is window dressing, not security. What am I missing about how that's anything like useful? Regards, Whit