[debian-mysql] Bug#865534: confirmed / steps / clarification
Faustin Lammler
faustin at mariadb.org
Tue May 29 17:18:29 BST 2018
I can confirm the problem and I am able to reproduce it.
Steps:
1/ on jessie, install mariadb-server and apparmor
2/ enable apparmor (on fresh jessie, it is not enabled by default for
mysqld):
https://wiki.debian.org/AppArmor/HowToUse?action=show&redirect=AppArmor%2FHowTo#Enable_AppArmor
3/ replace commented profile '/etc/apparmor.d/usr.sbin.mysqld' with
https://salsa.debian.org/mariadb-team/mariadb-10.1/blob/stretch/support-files/policy/apparmor/usr.sbin.mysqld
4/ create empty file '/etc/apparmor.d/local/usr.sbin.mysqld'
5/ activate profile:
$ sudo aa-enforce mysqld
Setting /usr/sbin/mysqld to enforce mode.
6/ upgrade to stretch
> So this needs to be fixed:
> 1) Make sure the old AppArmor profile isn't loaded anymore.
Disabling arbitrarily mysqld apparmor profile when it as been enabled
may be considered as a security issue and it is clearly a lack of
transparency to the user. So I think this is something that we can not
do automatically during postinstall.
> 3) Reload the AppArmor profile afterwards.
By default, apparmor is now disabled for newer version of MariaDB
(https://salsa.debian.org/mariadb-team/mariadb-10.1/blob/stretch/debian/apparmor-profile)
But again for old installation, this decision belongs to the user.
Regarding the workaround, I am not an apparmor expert but I think this
is a cleaner way:
$ sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
Verify:
$ sudo aa-status
Finalize mariadb-server upgrade:
$ sudo dpkg --configure mariadb-server
For people who want to keep apparmor mysqld profile running, I would
suggest editing the local profile
'/etc/apparmor.d/local/usr.sbin.mysqld' to their needs:
- https://blogs.oracle.com/jsmyth/apparmor-and-mysql
- https://bugs.launchpad.net/ourdelta/+bug/491349
> 2) A message should be printed that this mighht take a while and to be
> patient.
This is a good suggestion and I will check if it is not already on our
todo list for the next release.
> I suspect this is AppArmor-related. However, the resolution
> instructions are also wrong, referencing /usr/scripts/scripts.
Message resolution suggestion and detection is really not an easy thing,
and in that case, I see another problem, path is wrong. I have opened an
issue on our bug tracking system (https://jira.mariadb.org/browse/MDEV-16321).
More information about the pkg-mysql-maint
mailing list