[debian-mysql] Bug#1132027: mariadb-server: MariaDB doesn't start anymore with enforcing Apparmor profile
Stephan Seitz
stse+debianbugs at rootsland.net
Sat Apr 4 20:22:05 BST 2026
Hi Otto!
Am Fr, Apr 03, 2026 at 23:37:00 +0900 schrieb Otto Kekäläinen:
>> With the following lines in /etc/apparmor.d/local/mariadb MariaDB is
>> starting in enforce mode:
>>
>> capability sys_resource,
>> capability dac_read_search,
>> capability dac_override,
>> capability setgid,
>> capability setuid,
>>
>> Maybe they are needed for sysvinit user.
>
>Thanks for reporting!
>
>Are you sure every one of those are needed? Did you test those lines
>individually or just added all at once?
Well, the first three came from the apparmor log included in the bug
report.
After that the write error was gone, but the DB wouldn’t start (missing
setgid). After that it wouldn’t start (missing setuid). So at least the
last two are needed.
I don’t know if some of the first three are not really needed. I simply
added all apparmor errors.
>Based on the logs you shared in
>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132027 the server
>fails to start as it is unable to read the data directory
>/var/lib/mysql, which is the standard data directory and this type of
>failure is a bit surprising as we surely tested it before rolling out
It is really surprising because apparmor doesn’t log anything with
read/write errors.
>the change. Could it be that you have something additional customized
>in your MariaDB or general Debian settings?
Nope. Another system had the same problem without any customized
settings.
Did you test with sysvinit as well? The two systems with this bug are all
sysvinit/elogind systems.
Happy eastern
Stephan
--
| If your life was a horse, you'd have to shoot it. |
More information about the pkg-mysql-maint
mailing list