From: mjt@tls.msk.ru 
  
 Package: apparmor 
 Version: 4.1.0-1 
 Severity: normal 
  
 abstractions/winbind has rather strange and very outdated profile. 
 I'm assuming this is pam-winbind and nss-winbind, not winbind daemon - 
 because for the daemon, much more is needed. 
  
 I dont know where all these files listed in there are there.  Neiter 
 pam nor winbind modules access these files.  The only file they do 
 access is /run/samba/winbind/pipe - very long time ago it's been in 
 /tmp/.winbind/pipe, but it has been moved elsewhere (to /var/run, 
 later to /run) many years ago.  And this is the path which is blocked 
 by current profile. 
  
 Without any prior knowlege of apparmor, I'd say this whole file should 
 have just one line: 
  
   @{run}/samba/winbind/pipe rw, 
  
 Note also that PAM-winbind is different from NSS-winbind - the pam stuff 
 is for authentication, which is usually done by a priviledged process. 
 So I *guess* it meant to be nss-winbind in comment, not pam-winbind. 
  
 I wonder how it went unnoticed for so many years. 
  
 This come to my attention as #1110985 - this one apparently also needs 
 an ability to create unix sockets (socket(AF_UNIX)) which is blocked 
 now, but I don't know how to enable this one.  Any help with this bug 
 is appreciated. 
  
 Thanks, 
  
 /mjt 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)