Seth, it seems you're absolutely right.

Denying dgram while the system is up is no big deal, because DNS lookups
go through nscd (or other similar infrastructure) instead of being sent
out directly.

But when the system is starting up, and nscd et al. aren't running yet,
the queries do need to go out directly. And nslcd ends up in a wedged
state where it does not reply to queries, and prints an endless series
of confusing "Can't contact LDAP server: Permission denied" errors to
syslog.

So yes, please strike those two dgram lines from the profile.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1575455

Title:
  New AppArmor profile: usr.sbin.nslcd

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1575455/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to