Minor addendum: It's conceivable that the new line should go into <abstractions/nameservice> rather than just the nscd profile. I do see that the nscd socket is already mentioned there.
I don't know if/why anything else would need access to the nslcd socket, but that may be a valid use case for other folks. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1575438 Title: usr.sbin.nscd needs r/w access to nslcd socket Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: I am usinc nscd with nslcd (LDAP lookup daemon) for NSS services via LDAP. It is typical to configure nslcd to connect to the actual LDAP server, and then set up /etc/ldap.conf (which is what NSS/nscd uses for "ldap" type lookups in /etc/nsswitch.conf) with a server URI of ldapi:///var/run/nslcd/socket . This way, only nslcd needs to talk with the LDAP server, rather than every application that wants to do getpwent() et al. Unfortunately, the usr.sbin.nscd profile in apparmor-profiles 2.10.95-0ubuntu2 (Xenial) makes no mention of the nslcd socket, which results in NSS LDAP lookups not working when the profile is enforced in this configuration. This is the new line that is needed: /{,var/}run/nslcd/socket rw, To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1575438/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
