Comment 18 for bug 903752

BTW, while not a condition of this MIR, it sounds like sssd would be a great candidate for an apparmor profile-- runs privileged and processes network traffic but its actions are well known and predictable. If someone is up for it, feel free to ask for help in #ubuntu-hardened on Freenode or #apparmor on OFTC.