Description of problem:
When using "passwd: compat" in /etc/nsswitch.conf, various services need to read /etc/passwd. SELinux denies this, creating a steady stream of denials:

SELinux is preventing dbus-daemon from map access on the file /etc/passwd.
SELinux is preventing sshd from map access on the file /etc/passwd.
...etc...

Here is a summary of what we've had to add to our local policy for this to work:

allow NetworkManager_t passwd_file_t:file map;
allow abrt_dump_oops_t passwd_file_t:file map;
allow abrt_t passwd_file_t:file map;
allow accountsd_t passwd_file_t:file map;
allow automount_t passwd_file_t:file map;
allow avahi_t passwd_file_t:file map;
allow chkpwd_t passwd_file_t:file map;
allow chronyd_t passwd_file_t:file map;
allow colord_t passwd_file_t:file map;
allow cupsd_t passwd_file_t:file map;
allow firewalld_t passwd_file_t:file map;
allow init_t passwd_file_t:file map;
allow mcelog_t passwd_file_t:file map;
allow policykit_auth_t passwd_file_t:file map;
allow policykit_t passwd_file_t:file map;
allow postfix_master_t passwd_file_t:file map;
allow postfix_pickup_t passwd_file_t:file map;
allow postfix_qmgr_t passwd_file_t:file map;
allow rtkit_daemon_t passwd_file_t:file map;
allow setroubleshootd_t passwd_file_t:file map;
allow sshd_t passwd_file_t:file map;
allow sssd_t passwd_file_t:file map;
allow system_dbusd_t passwd_file_t:file map;
allow systemd_logind_t passwd_file_t:file map;
allow systemd_tmpfiles_t passwd_file_t:file map;
allow useradd_t passwd_file_t:file map;
allow xdm_t passwd_file_t:file map;

This is not an complete list. It would depend on how one configures nsswitch.conf beyond "passwd: compat", as well as which services are running.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-283.17.fc27.noarch

How reproducible:
Always.

Steps to Reproduce:
1. Configure "passwd: compat" in /etc/nsswitch.conf
2. Watch the flow of denials

Actual results:
Host becomes practically unusable, e.g. user can't log in.

Expected results:
No denials.