The nsswitch_domain is already allowed search /run/systemd, sssd however
requires the read permission, granted by the list_dir_perms pattern.
The reason is that sssd is using an asynchronous resolver library
(c-ares) and monitors /etc/resolv.conf for changes. If /etc/resolv.conf
is replaced with a symlink, SSSD tries to follow it to set an inotify
watch to be aware of the target file changes. The resolv.conf file
changes can be made by a user, NetworkManager, or systemd-resolved.
The nsswitch_domain is already allowed search /run/systemd, sssd however requires the read permission, granted by the list_dir_perms pattern.
The reason is that sssd is using an asynchronous resolver library (c-ares) and monitors /etc/resolv.conf for changes. If /etc/resolv.conf is replaced with a symlink, SSSD tries to follow it to set an inotify watch to be aware of the target file changes. The resolv.conf file changes can be made by a user, NetworkManager, or systemd-resolved.