On Tue, Aug 22, 2017 at 11:14:59PM +0200, Christian Boltz wrote: > > Is the sss/ms/initgroups change intentional? > > Yes, this is intentional - I did the profile updates (on an INVIS server) > myself ;-) > > > Should that go into abstractions/nameservice instead? > > What about "maybe"? ;-) This was the first time I've seen access to > sss/ms/initgroups. I don't really know what it does, so I prefered to > only allow it in the smbd profile. > > If you think it makes sense for abstractions/nameservice, I can change > the patch ;-)
This would be wonderful, thanks. The 'initgroups' interface exists to support the getgrouplist(3) function as described by nsswitch.conf(5). So if a site is using sss then probably more than just Samba will need this. Acked-by: Seth Arnold <seth.arn...@canonical.com> for the 'old' patch minus the initgroups, and the offered new patch of the initgroups in abstractions/nameservice. :) Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor