# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2011 Canonical Ltd.
#    Copyright (C) 2014 Hewlett-Packard Development Company, L.P.
#    Copyright (C) 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# ------------------------------------------------------------------

  # Many programs wish to perform nameservice-like operations, such as
  # looking up users by name or id, groups by name or id, hosts by name
  # or IP, etc. These operations may be performed through files, dns,
  # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
  /etc/group              r,
  /etc/host.conf          r,
  /etc/hosts              r,
  /etc/nsswitch.conf      r,
  /etc/gai.conf           r,
  /etc/passwd             r,
  /etc/protocols          r,

  # Uncomment when sssd (system security services deamon) is used.
  # When using sssd, the passwd and group files are stored in an alternate path
  #/var/lib/sss/mc/group   r,
  #/var/lib/sss/mc/passwd  r,

  /etc/resolv.conf        r,
  # on systems using resolvconf, /etc/resolv.conf is a symlink to
  # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
  # /etc/resolvconf/run/resolv.conf
  /{,var/}run/resolvconf/resolv.conf r,
  /etc/resolvconf/run/resolv.conf r,

  /etc/samba/lmhosts      r,
  /etc/services           r,
  # db backend
  /var/lib/misc/*.db      r,
  # The Name Service Cache Daemon can cache lookups, sometimes leading
  # to vast speed increases when working with network-based lookups.
  /{,var/}run/.nscd_socket   rw,
  /{,var/}run/nscd/socket    rw,
  /var/{db,cache,run}/nscd/{passwd,group,services,hosts}    r,
  # nscd renames and unlinks files in it's operation that clients will
  # have open
  /{,var/}run/nscd/db*  rmix,

  # The nss libraries are sometimes used in addition to PAM; make sure
  # they are available
  /lib{,32,64}/libnss_*.so*      mr,
  /usr/lib{,32,64}/libnss_*.so*  mr,
  /lib/@{multiarch}/libnss_*.so*      mr,
  /usr/lib/@{multiarch}/libnss_*.so*  mr,
  /etc/default/nss               r,

  # Uncomment when  mdns4 support required
  # avahi-daemon is used for mdns4 resolution
  #/{,var/}run/avahi-daemon/socket w,

  # Uncomment to support nis
  ##include <abstractions/nis>

  # ldap
  #include <abstractions/ldapclient>
  # all openldap config
  /etc/ldap/**            r,

  # Uncomment to support winbind
  ##include <abstractions/winbind>

  # Uncomment to support likewise
  ##include <abstractions/likewise>

  # Uncomment to support mdnsd
  ##include <abstractions/mdns>

  # kerberos
  #include <abstractions/kerberosclient>

  # TCP/UDP network access
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,

  # interface details
  @{PROC}/*/net/route r,
