[From nobody Mon Apr 13 17:21:10 2026
Received: (at submit) by bugs.debian.org; 26 Mar 2026 11:26:47 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.0 required=4.0 tests=BAYES_00,
 BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
 DKIM_VALID_EF,FREEMAIL_FROM,HAS_PACKAGE,RCVD_IN_DNSWL_LOW,
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
 RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham
 autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 67; hammy, 142; neutral, 48; spammy,
 1. spammytokens:0.942-+--H*r:bugs.debian.org
 hammytokens:0.000-+--apparmor, 0.000-+--datadir, 0.000-+--apparmord,
 0.000-+--UD:apparmor.d, 0.000-+--apparmor.d
Return-path: &lt;llamaonaskateboard@protonmail.com&gt;
Received: from mail-4321.protonmail.ch ([185.70.43.21]:61959)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;llamaonaskateboard@protonmail.com&gt;)
 id 1w5irO-004NlP-1h for submit@bugs.debian.org;
 Thu, 26 Mar 2026 11:26:47 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1774524354; x=1774783554;
 bh=hV6JjxGHI/GMbFX8oSzt2ITdJzUYOui63BLWYoold2k=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=AMfKk7IbdoUPs0jHnd89aPqAVGk6C3PTEJ45ei4koBfRf64RMqLk0FMOcPpZyQKgy
 jQd+RDKcpVNWw3W4iTUVBvWtm8lDvqF1SQ8F5w0W9cYL/79hEl1p/w1d1VgbdZNeq9
 Qn90KoyDoI1aROKpZsLTi1wiLDRfuTLOQf3Z7E/J0YtxYsW3UkrE+71M+aixLi8lKC
 ayUv6t/M9NB5N/Rd2vwErOENAqRk7kaiH5Giq9IPUNqxoOlUJNQvc7wjvNMXSMb5T+
 0A3SDauQI9nwBilXJrz/WvW+Gz7vVVhIx7TVOHIoFMC5/lcPNWdObMK8O1f65FkjN0
 Ny/YYLZFkeYug==
Date: Thu, 26 Mar 2026 11:25:48 +0000
To: &quot;submit@bugs.debian.org&quot; &lt;submit@bugs.debian.org&gt;
From: llamaonaskateboard &lt;llamaonaskateboard@protonmail.com&gt;
Subject: mariadb-server: apparmor denies wsrep_sst_mariabackup
Message-ID: &lt;0UHkndJlT6Hhd_QPqg_9MtdcYmYO9Ezw2GSw5pPZl7CUSc9SoIumAO5kPZ5x1v3WBzrDunuVPxOZDzd2tb_3cFmfv0kXxvnsPGzVnMq3sX0=@protonmail.com&gt;
Feedback-ID: 25600108:user:proton
X-Pm-Message-ID: c7eaa032633d29ea59b1083b6313e9ccca9ec41f
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Delivered-To: submit@bugs.debian.org

Package: mariadb-server
Version: 1:11.8.6-4
Severity: important

The new apparmor profile denies wsrep_sst_mariabackup from executing which =
prevents galera cluster nodes from starting.

2026-03-26T02:56:51.771670+00:00 hostname kernel: audit: type=3D1400 audit(=
1774493811.732:20066): apparmor=3D&quot;DENIED&quot; operation=3D&quot;exec&quot; class=3D&quot;file=
&quot; profile=3D&quot;mariadbd&quot; name=3D&quot;/usr/bin/dash&quot; pid=3D2324376 comm=3D&quot;mariadb=
d&quot; requested_mask=3D&quot;x&quot; denied_mask=3D&quot;x&quot; fsuid=3D111 ouid=3D0
2026-03-26T02:56:51.771678+00:00 hostname kernel: audit: type=3D1400 audit(=
1774493811.732:20067): apparmor=3D&quot;DENIED&quot; operation=3D&quot;exec&quot; class=3D&quot;file=
&quot; profile=3D&quot;mariadbd&quot; name=3D&quot;/usr/bin/dash&quot; pid=3D2324376 comm=3D&quot;mariadb=
d&quot; requested_mask=3D&quot;x&quot; denied_mask=3D&quot;x&quot; fsuid=3D111 ouid=3D0
2026-03-26T02:56:51.771777+00:00 hostname mariadbd[2324038]: 2026-03-26 02:=
56:51 2 [Note] WSREP: Cert index reset to 00000000-0000-0000-0000-000000000=
000:-1 (proto: 11), state transfer needed: yes
2026-03-26T02:56:51.771883+00:00 hostname mariadbd[2324038]: 2026-03-26 02:=
56:51 0 [Note] WSREP: Service thread queue flushed.
2026-03-26T02:56:51.771985+00:00 hostname mariadbd[2324038]: 2026-03-26 02:=
56:51 2 [Note] WSREP: ####### Assign initial position for certification: 00=
000000-0000-0000-0000-000000000000:-1, protocol version: -1
2026-03-26T02:56:51.772083+00:00 hostname mariadbd[2324038]: 2026-03-26 02:=
56:51 2 [Note] WSREP: State transfer required:
2026-03-26T02:56:51.772160+00:00 hostname mariadbd[2324038]: #011Group stat=
e: a575af7d-33d3-11eb-8be7-4b7799bfb483:65238730
2026-03-26T02:56:51.772200+00:00 hostname mariadbd[2324038]: #011Local stat=
e: a575af7d-33d3-11eb-8be7-4b7799bfb483:65238480
2026-03-26T02:56:51.772241+00:00 hostname mariadbd[2324038]: 2026-03-26 02:=
56:51 2 [Note] WSREP: Server status change connected -&gt; joiner
2026-03-26T02:56:51.772276+00:00 hostname mariadbd[2324038]: 2026-03-26 02:=
56:51 0 [Note] WSREP: Joiner monitor thread started to monitor
2026-03-26T02:56:51.772313+00:00 hostname mariadbd[2324038]: 2026-03-26 02:=
56:51 0 [Note] WSREP: Running: 'wsrep_sst_mariabackup --role 'joiner' --add=
ress 'x.x.x.x' --datadir '/var/lib/mysql/' --parent 2324038 --progress 0 --=
mysqld-args --wsrep_start_position=3Da575af7d-33d3-11eb-8be7-4b7799bfb483:6=
5238480'
2026-03-26T02:56:51.772349+00:00 hostname mariadbd[2324038]: 2026-03-26 02:=
56:51 0 [ERROR] WSREP: posix_spawnp(wsrep_sst_mariabackup --role 'joiner' -=
-address 'x.x.x.x' --datadir '/var/lib/mysql/' --parent 2324038 --progress =
0 --mysqld-args --wsrep_start_position=3Da575af7d-33d3-11eb-8be7-4b7799bfb4=
83:65238480) failed: 13 (Permission denied)
2026-03-26T02:56:51.772848+00:00 hostname mariadbd[2324038]: 260326 02:56:5=
1 [ERROR] /usr/sbin/mariadbd got signal 11 ;
2026-03-26T02:56:51.772947+00:00 hostname mariadbd[2324038]: Sorry, we prob=
ably made a mistake, and this is a bug.

Adding the following to /etc/apparmor.d/local/mariadbd allows startup again=
:
/{,usr/}bin/{bash,dash,sh} ix, # copied from Xorg profile
/usr/bin/wsrep_sst_mariabackup ux,

Inherit (ix) doesn't work for wsrep_sst_mariabackup as all the various call=
s within the script (eg. bash, dirname, wsrep_sst_common, etc.) would also =
need adding to the mariadb profile.
This may not be a good workaround from a security perspective.
]