# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>
/usr/sbin/nscd {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>

  deny capability block_suspend,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  network inet dgram,
  network inet stream,

  /etc/netgroup r,
  /etc/nscd.conf r,
  /tmp/.winbindd/pipe rw,
  /usr/sbin/nscd rmix,
  /var/lib/samba/winbindd_privileged/pipe rw,
  /{,var/}run/.nscd_socket wl,
  /{,var/}run/avahi-daemon/socket w,
  /{,var/}run/nscd/ rw,
  /{,var/}run/nscd/db* rwl,
  /{,var/}run/nscd/socket wl,
  /var/{cache,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
  /{,var/}run/{nscd/,}nscd.pid rwl,
  /var/log/nscd.log rw,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pid}/fd/* r,
  @{PROC}/@{pid}/maps r,
  @{PROC}/@{pid}/mounts r,
  @{PROC}/filesystems r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.nscd>
}