Me thinks you need auth_use_nsswitch() Looks like your code is calling getpw() Which is causing some of these access. auth_use_nsswitch will make you handle all forms of authorization.
yes, but
It doesnt need any authentication though, and also many other hallmarks of nsswitch are not there for example reading network config or do dns resolving, or creating tcp/udp sockets
I believe it's for resolving the UID/GID to usernames/group names in the display. Either way, I have taken your advice, and replaced the passwd / sssd parts with this and it works correctly.
not sure why it needs to create netlink route sockets ( i am assuming that in some scenario it might need to read the routing table, but against my own advise i made assumptions
this actually a really simple app, the only thing that i wonder about are the details about the net_admin and netlink_route_socket. I thought it might have been for iscsi scenarios but thats just assumption
Again, this may have been one of my mistakes. I have removed that line and it still worked. To eliminate this, I went through and check that each line of the policy now when removed causes a denial, which it does. Here is the "minimised" policy.