# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/4.0>,

include <tunables/global>
profile nscd /usr/{bin,sbin}/nscd {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>
  include <abstractions/ssl_certs>

  deny capability block_suspend,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  /etc/machine-id r,
  /etc/netgroup r,
  /etc/nscd.conf r,
  /usr/{bin,sbin}/nscd rmix,
  @{run}/.nscd_socket wl,
  @{run}/nscd/ rw,
  @{run}/nscd/db* rwl,
  @{run}/nscd/socket wl,
  /{var/cache,var/db,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
  @{run}/{nscd/,}nscd.pid rwl,
  /var/lib/libvirt/dnsmasq/ r,
  /var/lib/libvirt/dnsmasq/*.status r,
  /var/log/nscd.log rw,
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pid}/fd/* r,
  @{PROC}/@{pid}/mounts r,

  # systemd-userdb
  /{etc,run,run/host,/usr/lib}/userdb/ r,
  /{etc,run,run/host,/usr/lib}/userdb/*.{user,user-privileged,group,group-privileged} r,

  # needed by unscd
  @{run}/systemd/notify w,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.sbin.nscd>
}