Seth, it seems you're absolutely right. Denying dgram while the system is up is no big deal, because DNS lookups go through nscd (or other similar infrastructure) instead of being sent out directly.
But when the system is starting up, and nscd et al. aren't running yet, the queries do need to go out directly. And nslcd ends up in a wedged state where it does not reply to queries, and prints an endless series of confusing "Can't contact LDAP server: Permission denied" errors to syslog. So yes, please strike those two dgram lines from the profile. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1575455 Title: New AppArmor profile: usr.sbin.nslcd To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1575455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs