From f458a46e3f5ff445d8a5da8368f76168fcd40450 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 18 Feb 2018 13:10:31 -0600
Subject: [PATCH] roles/samba-dc: Additional BIND SELinux contexts

The `/var/lib/samba/bind-dns` directory contains files that are
hard-linked to files in the `/var/lib/samba/private` directory. All
paths for a file must have the same context, or `restorecon` will
effectively "toggle" the labels each time it is run.
---
 roles/samba-dc/vars/main.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/samba-dc/vars/main.yml b/roles/samba-dc/vars/main.yml
index c19c8b5..9f74cd8 100644
--- a/roles/samba-dc/vars/main.yml
+++ b/roles/samba-dc/vars/main.yml
@@ -1,10 +1,16 @@
 samba_selinux_contexts:
 - path: /var/lib/samba/bind-dns/dns.keytab
   setype: named_conf_t
+- path: /var/lib/samba/private/dns.keytab
+  setype: named_conf_t
 - path: /var/lib/samba/bind-dns/named.conf.*
   setype: named_conf_t
 - path: /var/lib/samba/bind-dns/dns(/.*)?
   setype: named_var_run_t
+- path: /var/lib/samba/private/sam.ldb.d/metadata.tdb
+  setype: named_var_run_t
+- path: /var/lib/samba/private/sam.ldb.d/.*DNSZONES.*\.ldb
+  setype: named_var_run_t
 samba_firewall:
 - dns
 - kerberos