# ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2011 Canonical Ltd. # Copyright (C) 2011-2024 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi , include # libtirpc (used for NIS/YP login) needs this @{etc_ro}/netconfig r, # When using sssd, the passwd and group files are stored in an alternate path # and the nss plugin also needs to talk to a pipe /var/lib/sss/mc/group r, /var/lib/sss/mc/initgroups r, /var/lib/sss/mc/passwd r, /var/lib/sss/pipes/nss rw, # On systems where /etc/resolv.conf is managed programmatically, it is # a symlink to @{run}/(whatever program is managing it)/resolv.conf. @{run}/{NetworkManager,connman,netconfig}/resolv.conf r, @{etc_ro}/resolvconf/run/resolv.conf r, /mnt/wsl/resolv.conf r, @{etc_ro}/samba/lmhosts r, # db backend /var/lib/misc/*.db r, # The Name Service Cache Daemon can cache lookups, sometimes leading # to vast speed increases when working with network-based lookups. @{run}/.nscd_socket rw, @{run}/nscd/socket rw, /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r, # nscd renames and unlinks files in it's operation that clients will # have open @{run}/nscd/db* mix, # make libnss-libvirt name resolution work. /var/lib/libvirt/dnsmasq/* r, # make libnss-libvirt name resolution work. /var/lib/libvirt/dnsmasq/ r, /var/lib/libvirt/dnsmasq/*.status r, # The nss libraries are sometimes used in addition to PAM; make sure # they are available /{usr/,}lib{,32,64}/libnss_*.so* mr, /{usr/,}lib/@{multiarch}/libnss_*.so* mr, # avahi-daemon is used for mdns4 resolution @{run}/avahi-daemon/socket rw, # libnl-3-200 via libnss-gw-name @{PROC}/@{pid}/net/psched r, @{etc_ro}/libnl-*/classid r, # nis include # ldap include # winbind include # likewise include # mdnsd include # kerberos include # Also allow lookups for systemd-exec's DynamicUsers via D-Bus # https://www.freedesktop.org/software/systemd/man/systemd.exec.html dbus send bus=system path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}" peer=(name="org.freedesktop.systemd1"), # TCP/UDP network access network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, # TODO: adjust when support finer-grained netlink rules # Netlink raw needed for nscd network netlink raw, # interface details @{PROC}/@{pid}/net/ipv6_route r, @{PROC}/@{pid}/net/route r, # Include additions to the abstraction include if exists