From 0e6b48cc785517a9cdcf15f0054886d56e9db24b Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Fri, 3 Mar 2023 11:35:47 +0000
Subject: [PATCH] adjust winbindd profile to cater for sssd kdcinfo access

winbindd (with nsswitch sssd configuration) is now getting

type=AVC msg=audit(1677832823.657:119): apparmor="DENIED" operation="open" profile="/usr/sbin/winbindd" name="/var/lib/sss/pubconf/kdcinfo.TESTDOMAIN1.MY.COM" pid=3026 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Signed-off-by: Noel Power <noel.power@suse.com>
(cherry picked from commit b4f54148825774c1bb67ded70f70e53ed1c7dae6)
---
 profiles/apparmor.d/usr.sbin.winbindd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd
index adc3a010d..8bdd2d479 100644
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@@ -30,6 +30,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
   /usr/{bin,sbin}/winbindd mr,
   /var/cache/krb5rcache/* rwk,
   /var/cache/samba/*.tdb rwk,
+  /var/lib/sss/pubconf/kdcinfo.* r,
   /var/log/samba/log.winbindd rw,
   @{run}/{samba/,}winbindd.pid rwk,
   @{run}/samba/winbindd/ rw,