From 675a99ac7b569f952664c9cd582e775e8d24e17b Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Fri, 18 Apr 2025 17:15:02 +0200
Subject: [PATCH] abstractions/nameservice: allow kanidm-unixd

If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.

For example:

```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 profiles/apparmor.d/abstractions/nameservice | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
index 18f5b0240..f3c2a2f38 100644
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -58,6 +58,9 @@
   @{PROC}/@{pid}/net/psched r,
   @{etc_ro}/libnl-*/classid r,
 
+  # user/group resolution through kanidm
+  /etc/kanidm/unixd r,
+
   # nis
   include <abstractions/nis>