feat(profiles): better system nss rules in nameservice-strict.

apparmor.d/groups/systemd/systemd-logind

@@ -26,8 +26,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{exec_path} mr,
 
   /etc/machine-id r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
   /etc/systemd/logind.conf r,
   /etc/systemd/sleep.conf r,
 
@@ -67,9 +65,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{run}/systemd/seats/seat[0-9]* rw,
   @{run}/systemd/sessions/{,*}  rw,
   @{run}/systemd/sessions/*.ref rw,
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
-  @{run}/systemd/userdb/io.systemd.Machine     rw,
   @{run}/systemd/users/ rw,
   @{run}/systemd/users/.#* rw,
   @{run}/systemd/users/@{uid} rw,

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -46,7 +46,6 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   /usr/{,**} rw,
   /var/{,**} rwk,
 
-  @{run}/systemd/userdb/ r,
   @{sys}/devices/system/cpu/microcode/reload w,
 
   @{PROC}/@{pid}/net/unix r,

apparmor.d/groups/systemd/userdbctl

@@ -18,12 +18,9 @@ profile userdbctl @{exec_path} {
   
   /{usr/,}bin/less rPx -> child-pager,
 
-  /etc/group r,
   /etc/shadow r,
   /etc/gshadow r,
 
-  @{run}/systemd/userdb/ r,
-
   @{PROC}/@{pid}/cgroup r,
 
   include if exists <local/userdbctl>