I would think it to be generally safe to allow sssd to read files in /etc/sssd/pki/**.
Mimicking what the profile already has for other subdirectories of /etc/sssd: /etc/sssd/pki/ r, /etc/sssd/pki/** r, > Particularly would just /etc/sssd/pki/sssd_auth_ca_db.pem be sufficient to > alleviate those concerns? There is another config setting for the name of that file, so globbing sounds better, should the admin change that config. You know, there might be a future where apparmor profiles could dynamically adapt to config settings, within certain constraints. But that's another topic :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2109673 Title: sssd apparmor profile need /etc/sssd/pki/** r To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2109673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
