http://bugzilla.suse.com/show_bug.cgi?id=1162277 Bug ID: 1162277 Summary: apparmor profiles: use.sbin.nscd profile breaks nscd queries over NIS Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: martin.wilck@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 828723 --> http://bugzilla.suse.com/attachment.cgi?id=828723&action=edit PATCH: apparmor profiles: allow access to /etc/netconfig for nscd I'm using "files nis" for passwd, shadow, and group in nsswitch.conf. I just found that this works for non-local accounts only without nscd: apollon:~ # id hare id: ‘hare’: no such user apollon:~ # systemctl stop nscd apollon:~ # id hare uid=16045(hare) gid=50(suse) groups=50(suse),... apollon:~ # systemctl start nscd apollon:~ # id hare id: ‘hare’: no such user Analysis revealed that this was caused by the apparmor profile usr.sbin.nscd I had indeed seen these messages but didn't realize they meant that no RPC was possible at all.
type=AVC msg=audit(1580402312.471:882): apparmor="DENIED" operation="open" profile="nscd" name="/etc/netconfig" pid=29401 comm="nscd" requested_mask="r" denied_mask="r" fsuid=496 ouid=0 type=AVC msg=audit(1580402312.471:883): apparmor="DENIED" operation="open" profile="nscd" name="/etc/netconfig" pid=29401 comm="nscd" requested_mask="r" denied_mask="r" fsuid=496 ouid=0
Adding "/etc/netconfig r," to the profile resolves the issue. See attached patch. -- You are receiving this mail because: You are on the CC list for the bug.