Cups rightfully includes nameservices like:
#include <abstractions/nameservice>
After our analysis in bug 1890858 I think it is fair to request an SRU update apparmor in Focal (only needed there, see bug 1890858 for details). As it would fix this element in Cups and actually in many other potential places as well.
Adding "unix (bind) type=dgram addr=@userdb-*," in abstractions/nameservice in Focal seems right to me.
---
Furthermore abstractions/nameservice already wants to allow sssd:
37 # When using sssd, the passwd and group files are stored in an alternate path
38 # and the nss plugin also needs to talk to a pipe
39 /var/lib/sss/mc/group r,
40 /var/lib/sss/mc/initgroups r,
41 /var/lib/sss/mc/passwd r,
42 /var/lib/sss/pipes/nss rw,
I don't know if
/var/lib/sss/pipes/private/pam rw,
is a default configuration nor if it would be a safe path to allow.
But it could pretty much be.
If ok this one would likely be needed/wanted in >=Bionic into abstractions/nameservice
---
Both changes IMHO would have to be done by the security Team in regard to the apparmor package, therefore I'll add a bug task for this and assign them to have a look.
Cups rightfully includes nameservices like: nameservice>
#include <abstractions/
After our analysis in bug 1890858 I think it is fair to request an SRU update apparmor in Focal (only needed there, see bug 1890858 for details). As it would fix this element in Cups and actually in many other potential places as well.
Adding "unix (bind) type=dgram addr=@userdb-*," in abstractions/ nameservice in Focal seems right to me.
---
Furthermore abstractions/ nameservice already wants to allow sssd:
37 # When using sssd, the passwd and group files are stored in an alternate path sss/mc/ group r, sss/mc/ initgroups r, sss/mc/ passwd r, sss/pipes/ nss rw,
38 # and the nss plugin also needs to talk to a pipe
39 /var/lib/
40 /var/lib/
41 /var/lib/
42 /var/lib/
I don't know if lib/sss/ pipes/private/ pam rw,
/var/
is a default configuration nor if it would be a safe path to allow.
But it could pretty much be.
If ok this one would likely be needed/wanted in >=Bionic into abstractions/ nameservice
---
Both changes IMHO would have to be done by the security Team in regard to the apparmor package, therefore I'll add a bug task for this and assign them to have a look.