# Fedora does not yet have a SELinux policy for the Samba AD DC process,
# so it runs as unconfined_service_t. This causes all of its child
# processes to run there as well, which prevents they create from being
# labelled correctly. This is particularly problematic for winbindd, as
# several outside processes need to communicate with it for identity
# mapping, etc., so its socket absolutely must have the right label.
#
# To work around this problem, restorecon is run after samba starts up
# to set the correct label on the winbindd socket directory.

[Service]
ExecStartPost=/usr/sbin/restorecon -RFv /run/samba/winbindd