Seth, it seems you're absolutely right. Denying dgram while the system is up is no big deal, because DNS lookups go through nscd (or other similar infrastructure) instead of being sent out directly.
But when the system is starting up, and nscd et al. aren't running yet, the queries do need to go out directly. And nslcd ends up in a wedged state where it does not reply to queries, and prints an endless series of confusing "Can't contact LDAP server: Permission denied" errors to syslog. So yes, please strike those two dgram lines from the profile. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1575455 Title: New AppArmor profile: usr.sbin.nslcd Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: nslcd is a good program to be covered by an AppArmor profile, as it communicates with an LDAP server and services queries from arbitrary local applications. This new profile used the existing usr.sbin.nscd profile as a starting point. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1575455/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
