:-) NP Seth - Yes the "local" was only for manual workarounds in this bug.
And the proposed fix is in the right place for the package.
The abstractions, or generally other places for that rule are interesting.
Because as I stated above while I now finally can recreate it in Focal it is gone in later versions. I was unable to find a clear sssd/libvirt change that fixed this - but chances are one of those abstractions already got a rule that now allows it.
#include <abstractions/base>
#include <abstractions/dbus>
Neither of them leads to such a rule in >=Groovy.
That explains why we only see this in Focal - it is the only version containing that mechanism.
And I think it is fair to say that the switch of the underlying tech in systemd isn't backportable for an SRU (compared to the rule we propose).
It now also makes sense why e.g. the non local sssd user trigger this. When calling the service through the socket of libvirt it will try to check who has called and that is exactly when the nss services will all be probed. With system 245 this also implies this generated socket to be bound.
I'll have a look at further restricting the rule ...
:-) NP Seth - Yes the "local" was only for manual workarounds in this bug.
And the proposed fix is in the right place for the package.
The abstractions, or generally other places for that rule are interesting.
Because as I stated above while I now finally can recreate it in Focal it is gone in later versions. I was unable to find a clear sssd/libvirt change that fixed this - but chances are one of those abstractions already got a rule that now allows it.
#include <abstractions/base>
#include <abstractions/dbus>
Neither of them leads to such a rule in >=Groovy.
It really is systemd that changed. /github. com/systemd/ systemd/ blob/ea500ac513 cf51bcb79a5666f 1519499d029428f /src/shared/ userdb. c#L1237 /github. com/systemd/ systemd/ commit/ ec8e4a0ef12ff2f d393e58c335602d 605d94f846 /github. com/systemd/ systemd/ commit/ 037b0a47b0d7df0 9d720dda6703135 117e7e0472
The code was indeed present in 245 (Focal) but not later.
That is the code on v245 (Focal):
https:/
The whole functionality was added in v245 via
https:/
and removed in v246 via
https:/
That explains why we only see this in Focal - it is the only version containing that mechanism.
And I think it is fair to say that the switch of the underlying tech in systemd isn't backportable for an SRU (compared to the rule we propose).
It now also makes sense why e.g. the non local sssd user trigger this. When calling the service through the socket of libvirt it will try to check who has called and that is exactly when the nss services will all be probed. With system 245 this also implies this generated socket to be bound.
I'll have a look at further restricting the rule ...