+ # When using sssd, the passwd and group files are stored in an alternate path
+ /var/lib/sss/mc/group r,
+ /var/lib/sss/mc/passwd r,
+
/etc/resolv.conf r,
# on systems using resolvconf, /etc/resolv.conf is a symlink to
# /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
sssd provides two files for fast access to its cache, /var/lib/ sss/mc/ group and /var/lib/ sss/mc/ passwd.
Those are world readable and any process susceptible of doing nss queries should be allowed read rights to these.
=== modified file 'profiles/ apparmor. d/abstractions/ nameservice' apparmor. d/abstractions/ nameservice 2012-01-12 12:55:17 +0000 apparmor. d/abstractions/ nameservice 2012-09-25 18:44:33 +0000
--- profiles/
+++ profiles/
@@ -21,6 +21,10 @@
/etc/passwd r,
/etc/protocols r,
+ # When using sssd, the passwd and group files are stored in an alternate path sss/mc/ group r, sss/mc/ passwd r, }run/resolvconf /resolv. conf and a file sometimes referenced in
+ /var/lib/
+ /var/lib/
+
/etc/resolv.conf r,
# on systems using resolvconf, /etc/resolv.conf is a symlink to
# /{,var/
The fix above seems to be doing the trick here, it's similar to the selinux rule change that had to happen on redhat's side: /bugzilla. redhat. com/show_ bug.cgi? id=806348
https:/