samba selinux adding new PC to domain

[mroselinux at eastgranby.k12.ct.us]

I've migrated our samba server to FC5 and have selinux enforcing.  I have
the smbd_disable_trans boolean on.  I just went to add a new PC to our
domain and was not able to until I changed selinux to permissive.  Below
are the log messages.

Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.084:160): avc:  denied  {
append } for  pid=24952 comm="useradd" name="log.mslib2k10w" dev=dm-0
ino=8674237 scontext=root:system_r:useradd_t:s0
tcontext=root:object_r:samba_log_t:s0 tclass=file
Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.088:161): avc:  denied  {
read } for  pid=24952 comm="useradd" name="passwd" dev=dm-0 ino=1964129
scontext=root:system_r:useradd_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.088:162): avc:  denied  {
read write } for  pid=24952 comm="useradd" name="passwd" dev=dm-0
ino=1964129 scontext=root:system_r:useradd_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Apr 25 12:53:25 hssrv01 smbd[24950]: [2006/04/25 12:53:25.092274, 0]
rpc_server/srv_samr_nt.c:_samr_create_user(2404)
Apr 25 12:53:25 hssrv01 smbd[24950]:   _samr_create_user: Running the
command `/usr/sbin/useradd -d /dev/null -g mac6068346148hines -c 'Machine
Account' -s /bin/false -M mslib2k10w$' gave 1

Note that smbd invokes the useradd command.

How can I always leave enforcing on?  Earlier, I sent an email indicating
that the samba "net groupmap" command also is a problem with enforcing on.

Mark Orenstein
East Granby, CT School System