New AppArmor profile: usr.sbin.nslcd

That's a great start; I'm concerned about blocking the dgram protocols though -- will nslcd ever need to look up ldap server addresses via dns? Your site may not, but maybe someone else's will?

Thanks

For my part, I'm not seeing DNS issues, and I've got a hostname in my LDAP server URI.

I'm not sure what goes on under the hood for normal DNS resolution these days (maybe DNS over TCP is favored now?), but if there's any doubt in your mind, feel free to drop those lines.

Seth, it seems you're absolutely right.

Denying dgram while the system is up is no big deal, because DNS lookups go through nscd (or other similar infrastructure) instead of being sent out directly.

But when the system is starting up, and nscd et al. aren't running yet, the queries do need to go out directly. And nslcd ends up in a wedged state where it does not reply to queries, and prints an endless series of confusing "Can't contact LDAP server: Permission denied" errors to syslog.

So yes, please strike those two dgram lines from the profile.

Thanks, I added the profile to the 16.04 and 16.10 directories:
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/revision/167
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/revision/168

If you want a copyright line on the files, either propose one here or a merge request. I'm sorry I didn't notice it earlier.

Thanks!

Thank you Seth :-) Next rev in each release should have this, right?

No copyright line is needed; this was trivial to derive from the nscd profile.