feat(fsp): setup RBAC mapping in auth enabled profiles.

apparmor.d/groups/utils/chfn

@@ -15,6 +15,7 @@ profile chfn @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
+  include <mappings/shadow>  #aa:only RBAC
 
   capability audit_write,
   capability chown,

apparmor.d/groups/utils/chsh

@@ -15,6 +15,7 @@ profile chsh @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
+  include <mappings/shadow> #aa:only RBAC
 
   capability audit_write,
   capability chown,

apparmor.d/groups/utils/login

@@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
+  include <mappings/login>  #aa:only RBAC
 
   capability audit_write,
   capability chown,
@@ -38,7 +39,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{shells_path}     rUx,
+  @{shells_path}     Ux, #aa:exclude RBAC
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/group.conf r,

apparmor.d/groups/utils/su

@@ -12,6 +12,7 @@ profile su @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
   include <abstractions/app/sudo>
+  include <mappings/su>  #aa:only RBAC
 
   capability chown,  # pseudo-terminal
 
@@ -21,8 +22,8 @@ profile su @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/@{shells}     rUx,
-  @{sbin}/nologin      rPx,
+  @{bin}/@{shells}     Ux, #aa:exclude RBAC
+  @{sbin}/nologin      Px,
 
   @{etc_ro}/default/su r,
   /etc/default/locale r,