From 0593a035f55b1ca224e7d8d22a9d061f6ad52c7d Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Fri, 3 Mar 2023 11:44:45 +0000
Subject: [PATCH] add kerberosclient to included abstractions for winbindd

prevent messages like

apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/winbindd" name="/usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so" pid=2798 comm="winbindd" requested_mask="m" denied_mask="m" fsuid=52311 ouid=0

Signed-off-by: Noel Power <noel.power@suse.com>
---
 profiles/apparmor.d/usr.sbin.winbindd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd
index db1f43c8e..5b3c2ca6e 100644
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@@ -6,6 +6,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/samba>
+  include <abstractions/kerberosclient>
 
   deny capability block_suspend,