diff --git a/apparmor.changes b/apparmor.changes
index e7116bf..8f28049 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Apr  1 16:06:24 UTC 2014 - lmuelle@suse.com
+
+- update usr.sbin.winbindd profile (bnc#870607)
+  - restrict rw access to /var/cache/krb5rcache/ instead /var/tmp/
+
+-------------------------------------------------------------------
+Fri Mar 28 14:24:19 UTC 2014 - lmuelle@suse.com
+
+- update usr.sbin.winbindd profile (bnc#870607)
+  - treat passdb.tdb.tmp as passdb.tdb
+  - allow rw access to /var/tmp/
+
 -------------------------------------------------------------------
 Thu Mar 20 19:58:47 UTC 2014 - opensuse@cboltz.de
 
diff --git a/usr.sbin.winbindd b/usr.sbin.winbindd
index 903da3c..ed39639 100644
--- a/usr.sbin.winbindd
+++ b/usr.sbin.winbindd
@@ -11,7 +11,7 @@
   capability setuid,
 
   /etc/samba/dhcp.conf r,
-  /etc/samba/passdb.tdb rwk,
+  /etc/samba/passdb.tdb{,.tmp} rwk,
   /etc/samba/secrets.tdb rwk,
   /proc/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
@@ -21,6 +21,7 @@
   /usr/lib*/samba/pdb/*.so mr,
   /usr/sbin/winbindd mr,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+  /var/cache/krb5rcache/* rw,
   /var/cache/samba/*.tdb rwk,
   /var/cache/samba/netsamlogon_cache.tdb rw,