[debian-mysql] cqrlog modifies MySQL apparmor profile in postinst

[Clint Byrum]

Excerpts from Robie Basak's message of 2015-03-10 05:36:00 -0700:
> On Fri, Mar 06, 2015 at 03:16:30PM +0100, Norvald H. Ryeng wrote:
> > I've noticed that cqrlog's postinst script runs cqrlog-apparmor-fix [1],  
> > which modifies /etc/apparmor.d/usr.sbin.mysqld. The change is simple, it's  
> > just adding one line to the end of the file:
> > 
> >      @{HOME}/.config/cqrlog/database/** rwk,
> 
> > The file is a config file in the mysql-server-5.5 package, so dpkg will  
> > ask the user what to do when that package is upgraded and contains a new  
> > version of the file. This leaves it to the user to resolve a conflict  
> > introduced by package maintainers. It's not a very critical bug, but it's  
> > a bit annoying.
> 
> I believe this should be filed as a bug in cqrlog. Packages shouldn't be
> automatically modifying conffiles that they do not own.
> 

+1 this is a policy violation.

> > Can we find a more elegant solution to this? There's an #include directive  
> > at the bottom of the apparmor file (commented out, but we could enable  
> > it). Perhaps cqrlog could put it's rule there, but I guess it's bad  
> > practice for packages to put anything in /etc/apparmor.d/local. Any other  
> > suggestions?
> 
> It doesn't really harm anyone to just ship that line in our AppArmor
> profile. I believe that's the general approach that Ubuntu has been
> taking to AppArmor profiles, anyway.

Agree, let's just do that, once cqrlog agrees.

However, there's actual code in the program that modifies it, not just
the postinst. I wonder if a simpler answer might be to have the AppArmor
policy adapt to wherever the datadir is somehow, as that will help users
who want to host multiple mysqlds on one box do that (though I'd argue
the way to do that is just with containers).