Comment 0 for bug 1056391

sssd provides two files for fast access to its cache, /var/lib/sss/mc/group and /var/lib/sss/mc/passwd.

Those are world readable and any process susceptible of doing nss queries should be allowed read rights to these.

=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2012-01-12 12:55:17 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2012-09-25 18:44:33 +0000
@@ -21,6 +21,10 @@
   /etc/passwd r,
   /etc/protocols r,

+ # When using sssd, the passwd and group files are stored in an alternate path
+ /var/lib/sss/mc/group r,
+ /var/lib/sss/mc/passwd r,
+
   /etc/resolv.conf r,
   # on systems using resolvconf, /etc/resolv.conf is a symlink to
   # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in

The fix above seems to be doing the trick here, it's similar to the selinux rule change that had to happen on redhat's side:
https://bugzilla.redhat.com/show_bug.cgi?id=806348