Comment 1 for bug 1869024

As mentioned in LP: #1796911 by xnox, some abstractions should be augmented with the corresponding dbus rules. Support for userdb should also be added IMHO.

Here are the rules that were needed in my tests on an up to date Focal:

  # systemd DynamicUser
  /run/systemd/userdb/ r,
  /run/systemd/userdb/io.systemd.DynamicUser rw,
  @{PROC}/sys/kernel/random/boot_id r,
  #include <abstractions/dbus-strict>
  dbus send
     bus=system
     path="/org/freedesktop/systemd1"
     interface="org.freedesktop.systemd1.Manager"
     member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
     peer=(name=("org.freedesktop.systemd1")),

The boot_id is a concern for privacy/tracking abuse so I also tried denying it and it doesn't seem to cause visible problems.