From f0a70c70e5b905ff1fc865ddc5a7c9cada812106 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 20 Dec 2022 15:19:56 -0600
Subject: [PATCH] samba-dc: Install dch-selinux

The *dch-selinux* package contains a SELinux policy module for Samba AD
DC.  This policy defines a `samba_t` domain for the `samba` process.
While the domain is (currently) unconfined, it is necessary in order to
provide a domain transition rule for `winbindd`.  Without this rule,
`winbindd` would run in `unconfined_service_t`, which causes its IPC
pipe files to be incorrectly labelled, preventing other confined
services like `sshd` from accessing them.
---
 samba-dc.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/samba-dc.yml b/samba-dc.yml
index 9d8b3e3..6c64348 100644
--- a/samba-dc.yml
+++ b/samba-dc.yml
@@ -2,6 +2,7 @@
   serial: 1
   roles:
   - kerberos
+  - dch-selinux
   - samba-dc
   tasks:
   - name: set samba configuration facts