nscd service fails with apparmor 3.0.0-2 on Arch Linux
After a recent upgrade of apparmor on Arch Linux the nscd systemd service fails to start. Arch Linux has /var/db/nscd and that path is missing from the profile AFAICT. A slight change in /etc/apparmor.d/usr.sbin.nscd seems to fix this. usr.sbin.nscd.patch
$ pacman -Q apparmor glibc
apparmor 3.0.0-2
glibc 2.32-4
$ cat /etc/apparmor.d/usr.sbin.nscd
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
profile nscd /usr/{bin,sbin}/nscd {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
deny capability block_suspend,
capability net_bind_service,
capability setgid,
capability setuid,
/etc/netgroup r,
/etc/nscd.conf r,
/usr/{bin,sbin}/nscd rmix,
@{run}/.nscd_socket wl,
@{run}/nscd/ rw,
@{run}/nscd/db* rwl,
@{run}/nscd/socket wl,
/{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
@{run}/{nscd/,}nscd.pid rwl,
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/*.status r,
/var/log/nscd.log rw,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/fd/* r,
@{PROC}/@{pid}/mounts r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.nscd>
}
$ systemctl status nscd
● nscd.service - Name Service Cache Daemon
Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-10-10 21:58:45 CEST; 1min 59s ago
Process: 919 ExecStart=/usr/sbin/nscd (code=exited, status=1/FAILURE)
Oct 10 21:58:45 lab16 systemd[1]: nscd.service: Scheduled restart job, restart counter is at 5.
Oct 10 21:58:45 lab16 systemd[1]: Stopped Name Service Cache Daemon.
Oct 10 21:58:45 lab16 systemd[1]: nscd.service: Start request repeated too quickly.
Oct 10 21:58:45 lab16 systemd[1]: nscd.service: Failed with result 'exit-code'.
Oct 10 21:58:45 lab16 systemd[1]: Failed to start Name Service Cache Daemon.
$ sudo /usr/sbin/nscd -d
2020-10-10T22:02:57 CEST - 5699: monitoring file /etc/passwd for database passwd
2020-10-10T22:02:57 CEST - 5699: monitoring file `/etc/passwd` (1)
2020-10-10T22:02:57 CEST - 5699: monitoring directory `/etc` (2)
2020-10-10T22:02:57 CEST - 5699: monitoring file /etc/group for database group
2020-10-10T22:02:57 CEST - 5699: monitoring file `/etc/group` (3)
2020-10-10T22:02:57 CEST - 5699: monitoring directory `/etc` (2)
2020-10-10T22:02:57 CEST - 5699: monitoring file /etc/hosts for database hosts
2020-10-10T22:02:57 CEST - 5699: monitoring file `/etc/hosts` (4)
2020-10-10T22:02:57 CEST - 5699: monitoring directory `/etc` (2)
2020-10-10T22:02:57 CEST - 5699: monitoring file /etc/resolv.conf for database hosts
2020-10-10T22:02:57 CEST - 5699: monitoring file `/etc/resolv.conf` (5)
2020-10-10T22:02:57 CEST - 5699: monitoring directory `/etc` (2)
2020-10-10T22:02:57 CEST - 5699: monitoring file /etc/services for database services
2020-10-10T22:02:57 CEST - 5699: monitoring file `/etc/services` (6)
2020-10-10T22:02:57 CEST - 5699: monitoring directory `/etc` (2)
/usr/sbin/nscd: cannot access '/var/db/nscd/passwd': Success
= = = after fixing /etc/apparmor.d/usr.sbin.nscd = = =
$ cat /etc/apparmor.d/usr.sbin.nscd
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <tunables/global>
profile nscd /usr/{bin,sbin}/nscd {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
deny capability block_suspend,
capability net_bind_service,
capability setgid,
capability setuid,
/etc/netgroup r,
/etc/nscd.conf r,
/usr/{bin,sbin}/nscd rmix,
@{run}/.nscd_socket wl,
@{run}/nscd/ rw,
@{run}/nscd/db* rwl,
@{run}/nscd/socket wl,
/{var/cache,var/db,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
@{run}/{nscd/,}nscd.pid rwl,
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/*.status r,
/var/log/nscd.log rw,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/fd/* r,
@{PROC}/@{pid}/mounts r,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.nscd>
}
$ systemctl status nscd
● nscd.service - Name Service Cache Daemon
Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-10-10 22:06:10 CEST; 2min 27s ago
Process: 704 ExecStart=/usr/sbin/nscd (code=exited, status=0/SUCCESS)
Main PID: 716 (nscd)
Tasks: 10 (limit: 4645)
Memory: 28.4M
CGroup: /system.slice/nscd.service
└─716 /usr/sbin/nscd
Oct 10 22:06:10 lab16 nscd[716]: 716 monitoring file `/etc/group` (3)
Oct 10 22:06:10 lab16 nscd[716]: 716 monitoring directory `/etc` (2)
Oct 10 22:06:10 lab16 nscd[716]: 716 monitoring file `/etc/hosts` (4)
Oct 10 22:06:10 lab16 nscd[716]: 716 monitoring directory `/etc` (2)
Oct 10 22:06:10 lab16 nscd[716]: 716 monitoring file `/etc/resolv.conf` (5)
Oct 10 22:06:10 lab16 nscd[716]: 716 monitoring directory `/etc` (2)
Oct 10 22:06:10 lab16 nscd[716]: 716 monitoring file `/etc/services` (6)
Oct 10 22:06:10 lab16 nscd[716]: 716 monitoring directory `/etc` (2)
Oct 10 22:06:10 lab16 systemd[1]: Started Name Service Cache Daemon.
Oct 10 22:06:12 lab16 nscd[716]: 716 monitored file `/etc/resolv.conf` was written to