Bug ID 1162277
Summary apparmor profiles: use.sbin.nscd profile breaks nscd queries over NIS
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component AppArmor
Assignee suse-beta@cboltz.de
Reporter martin.wilck@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 828723 [details]
PATCH: apparmor profiles: allow access to /etc/netconfig for nscd

I'm using "files nis" for passwd, shadow, and group in nsswitch.conf.

I just found that this works for non-local accounts only without nscd:

apollon:~ # id hare
id: ���hare���: no such user
apollon:~ # systemctl stop nscd
apollon:~ # id hare
uid=16045(hare) gid=50(suse) groups=50(suse),...
apollon:~ # systemctl start nscd
apollon:~ # id hare
id: ���hare���: no such user

Analysis revealed that this was caused by the apparmor profile usr.sbin.nscd

I had indeed seen these messages but didn't realize they meant that no RPC was
possible at all.

> type=AVC msg=audit(1580402312.471:882): apparmor="DENIED" operation="open" profile="nscd" name="/etc/netconfig" pid=29401 comm="nscd" requested_mask="r" denied_mask="r" fsuid=496 ouid=0
> type=AVC msg=audit(1580402312.471:883): apparmor="DENIED" operation="open" profile="nscd" name="/etc/netconfig" pid=29401 comm="nscd" requested_mask="r" denied_mask="r" fsuid=496 ouid=0

Adding "/etc/netconfig r," to the profile resolves the issue. See attached
patch.

You are receiving this mail because: