r/samba-dc: Remove winbindd restorecon workaround

This work-around is no longer necessary as the default Fedora policy now covers the Samba DC daemon. It never really worked correctly, anyway, because Samba doesn't start `winbindd` fast enough for the `/run/samba/winbindd` directory to be created before systemd spawns the `restorecon` process, so it would usually fail to start the service the first time after a reboot.
2022-08-22 20:32:07 -05:00 · 2022-08-22 20:32:07 -05:00 · 8965ede50a
parent 2ca92f68f7
commit 8965ede50a
2 changed files with 0 additions and 20 deletions
--- a/roles/samba-dc/files/relabel-winbindd.conf
+++ b/roles/samba-dc/files/relabel-winbindd.conf
@ -1,12 +0,0 @@
-# Fedora does not yet have a SELinux policy for the Samba AD DC process,
-# so it runs as unconfined_service_t. This causes all of its child
-# processes to run there as well, which prevents they create from being
-# labelled correctly. This is particularly problematic for winbindd, as
-# several outside processes need to communicate with it for identity
-# mapping, etc., so its socket absolutely must have the right label.
-#
-# To work around this problem, restorecon is run after samba starts up
-# to set the correct label on the winbindd socket directory.
-
-[Service]
-ExecStartPost=/usr/sbin/restorecon -RFv /run/samba/winbindd
--- a/roles/samba-dc/tasks/main.yml
+++ b/roles/samba-dc/tasks/main.yml
@ -74,14 +74,6 @@
    path=/etc/systemd/system/samba.service.d
    mode=0755
    state=directory
- name: ensure samba4/winbind selinux work-around is in place
-  copy:
-    src=relabel-winbindd.conf
-    dest=/etc/systemd/system/samba.service.d/relabel-winbindd.conf
-    mode=0644
-  notify:
-  - reload systemd
-  - restart samba

 - name: ensure samba starts at boot
  service: