[debian-mysql] Bug#1131938: mariadb-server: apparmor denies wsrep_sst_mariabackup
llamaonaskateboard
llamaonaskateboard at protonmail.com
Thu Mar 26 11:25:48 GMT 2026
Package: mariadb-server
Version: 1:11.8.6-4
Severity: important
The new apparmor profile denies wsrep_sst_mariabackup from executing which prevents galera cluster nodes from starting.
2026-03-26T02:56:51.771670+00:00 hostname kernel: audit: type=1400 audit(1774493811.732:20066): apparmor="DENIED" operation="exec" class="file" profile="mariadbd" name="/usr/bin/dash" pid=2324376 comm="mariadbd" requested_mask="x" denied_mask="x" fsuid=111 ouid=0
2026-03-26T02:56:51.771678+00:00 hostname kernel: audit: type=1400 audit(1774493811.732:20067): apparmor="DENIED" operation="exec" class="file" profile="mariadbd" name="/usr/bin/dash" pid=2324376 comm="mariadbd" requested_mask="x" denied_mask="x" fsuid=111 ouid=0
2026-03-26T02:56:51.771777+00:00 hostname mariadbd[2324038]: 2026-03-26 02:56:51 2 [Note] WSREP: Cert index reset to 00000000-0000-0000-0000-000000000000:-1 (proto: 11), state transfer needed: yes
2026-03-26T02:56:51.771883+00:00 hostname mariadbd[2324038]: 2026-03-26 02:56:51 0 [Note] WSREP: Service thread queue flushed.
2026-03-26T02:56:51.771985+00:00 hostname mariadbd[2324038]: 2026-03-26 02:56:51 2 [Note] WSREP: ####### Assign initial position for certification: 00000000-0000-0000-0000-000000000000:-1, protocol version: -1
2026-03-26T02:56:51.772083+00:00 hostname mariadbd[2324038]: 2026-03-26 02:56:51 2 [Note] WSREP: State transfer required:
2026-03-26T02:56:51.772160+00:00 hostname mariadbd[2324038]: #011Group state: a575af7d-33d3-11eb-8be7-4b7799bfb483:65238730
2026-03-26T02:56:51.772200+00:00 hostname mariadbd[2324038]: #011Local state: a575af7d-33d3-11eb-8be7-4b7799bfb483:65238480
2026-03-26T02:56:51.772241+00:00 hostname mariadbd[2324038]: 2026-03-26 02:56:51 2 [Note] WSREP: Server status change connected -> joiner
2026-03-26T02:56:51.772276+00:00 hostname mariadbd[2324038]: 2026-03-26 02:56:51 0 [Note] WSREP: Joiner monitor thread started to monitor
2026-03-26T02:56:51.772313+00:00 hostname mariadbd[2324038]: 2026-03-26 02:56:51 0 [Note] WSREP: Running: 'wsrep_sst_mariabackup --role 'joiner' --address 'x.x.x.x' --datadir '/var/lib/mysql/' --parent 2324038 --progress 0 --mysqld-args --wsrep_start_position=a575af7d-33d3-11eb-8be7-4b7799bfb483:65238480'
2026-03-26T02:56:51.772349+00:00 hostname mariadbd[2324038]: 2026-03-26 02:56:51 0 [ERROR] WSREP: posix_spawnp(wsrep_sst_mariabackup --role 'joiner' --address 'x.x.x.x' --datadir '/var/lib/mysql/' --parent 2324038 --progress 0 --mysqld-args --wsrep_start_position=a575af7d-33d3-11eb-8be7-4b7799bfb483:65238480) failed: 13 (Permission denied)
2026-03-26T02:56:51.772848+00:00 hostname mariadbd[2324038]: 260326 02:56:51 [ERROR] /usr/sbin/mariadbd got signal 11 ;
2026-03-26T02:56:51.772947+00:00 hostname mariadbd[2324038]: Sorry, we probably made a mistake, and this is a bug.
Adding the following to /etc/apparmor.d/local/mariadbd allows startup again:
/{,usr/}bin/{bash,dash,sh} ix, # copied from Xorg profile
/usr/bin/wsrep_sst_mariabackup ux,
Inherit (ix) doesn't work for wsrep_sst_mariabackup as all the various calls within the script (eg. bash, dirname, wsrep_sst_common, etc.) would also need adding to the mariadb profile.
This may not be a good workaround from a security perspective.
More information about the pkg-mysql-maint
mailing list