TL;DR

SELinux is blocking samba from reading /var/log and all contents

Problem

With SELinux disabled, my samba users (sssd/kerberos joined to AD 2008 R2) can browse my shared directory /var/log.
With SELinux enabled, it doesn't work.

My /var/log/messages snippet

Aug 29 13:28:38 servername kernel: [11625.509586] type=1400 audit(1472491718.859:35): avc:  denied  { read } for  pid=7492 comm="smbd" name="spamfilter-all.log" dev="dm-3" ino=26 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=lnk_file
Aug 29 13:28:38 servername kernel: [11625.626225] type=1400 audit(1472491718.975:36): avc:  denied  { getattr } for  pid=7492 comm="smbd" path="/var/log/remote/192.168.11.1" dev="dm-3" ino=1966096 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=lnk_file

Running audit2allow < ~/logsnippet shows

#============= smbd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     samba_export_all_ro, samba_export_all_rw
allow smbd_t var_log_t:lnk_file { read getattr };

What I've already tried

From https://wiki.centos.org/HowTos/SELinux, I tried using audit2allow to make a module that I then loaded:

audit2allow < ~/logsnippet -M allow_samba_var_log
semodule -i allow_samba_var_log.pp

The module installed, because I see it in semodule -l | grep allow but I still cannot access /var/log through samba.

What I cannot do

• Disable SELinux
• https://lists.samba.org/archive/samba/2006-May/120632.html suggests modifying source, but I am not certain I want to try to modify source code for an selinux package (selinux-policy-targeted-sources is named in this link). Someone might be able to convince me to do this if necessary.

End results

What I ended up doing was enabling the boolean samba_export_all_ro.