[debian-mysql] Bug#1131938: mariadb-server: apparmor denies wsrep_sst_mariabackup
Otto Kekäläinen
otto at debian.org
Fri Apr 3 15:27:10 BST 2026
> Adding the following to /etc/apparmor.d/local/mariadbd allows startup again:
> /{,usr/}bin/{bash,dash,sh} ix, # copied from Xorg profile
> /usr/bin/wsrep_sst_mariabackup ux,
Thanks for reporting!
Indeed, AppArmor for Galera is problematic as it seems to call Dash
and from there do various shell commands. As discussed in
https://optimizedbyotto.com/post/new-apparmor-profile-for-mariadb/ we
intentionally left Dash out of the profile to not make it too broad.
Adding `/{,usr/}bin/{bash,dash,sh} ix` now would make AppArmor
somewhat moot. However blocking Galera recovery and bootstrapping
isn't nice either..
Ideas welcome!
More information about the pkg-mysql-maint
mailing list