Ubuntu
mysql-8.0 package

apparmor profile: allow read on /proc/sys/kernel/random/boot_id

Bug #1880109 reported by Thomas
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-8.0 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I get the follow kernel message:

May 22 08:11:49 srv1 kernel: [29050.927299] audit: type=1400 audit(1590135109.257:99): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/sys/kernel/random/boot_id" pid=9559 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

It could be easy to fix it:

--- /tmp/usr.sbin.mysqld 2020-05-22 08:21:49.698953104 +0000
+++ /etc/apparmor.d/usr.sbin.mysqld 2020-05-22 08:15:54.180942772 +0000
@@ -11,6 +11,7 @@

 # Allow system resource access
   /proc/*/status r,
+ /proc/sys/kernel/random/boot_id r,
   /sys/devices/system/cpu/ r,
   /sys/devices/system/node/ r,
   /sys/devices/system/node/** r,

And replace the current profile with:
apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld

It would be nice, to include this fix to the current version.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: mysql-server 8.0.20-0ubuntu0.20.04.1
ProcVersionSignature: Ubuntu 5.4.0-31.35-generic 5.4.34
Uname: Linux 5.4.0-31-generic x86_64
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckResult: pass
Date: Fri May 22 08:18:37 2020
InstallationDate: Installed on 2020-05-01 (20 days ago)
InstallationMedia: Ubuntu-Server 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
Logs.var.log.daemon.log:

MySQLConf.etc.mysql.conf.d.mysql.cnf: [mysql]
MySQLConf.etc.mysql.conf.d.mysqldump.cnf:
 [mysqldump]
 quick
 quote-names
 max_allowed_packet = 16M
MySQLVarLibDirListing: ['#ib_16384_0.dblwr', 'binlog.000007', 'client-key.pem', 'binlog.000001', 'test', 'undo_001', 'debian-5.7.flag', 'ca.pem', 'binlog.000010', 'performance_schema', 'public_key.pem', 'undo_002', 'debian-5.5.flag', 'server-cert.pem', 'binlog.000006', 'client-cert.pem', 'mysql_upgrade_info', 'mysql', '#ib_16384_1.dblwr', 'binlog.000011', 'ibtmp1', 'topackt', 'binlog.000003', 'binlog.000004', 'ib_buffer_pool', '#innodb_temp', 'auto.cnf', 'private_key.pem', 'ib_logfile0', 'ib_logfile1', 'binlog.index', 'binlog.000005', 'mysql.ibd', 'sys', 'ca-key.pem', 'phpmyadmin', 'ibdata1', 'binlog.000008', 'binlog.000009', 'binlog.000002', 'server-key.pem', 'proftpd', 'srv1.pid']
PackageArchitecture: all
ProcEnviron:
 TERM=screen.xterm-256color
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: mysql-8.0
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.usr.sbin.mysqld: [modified]
modified.conffile..etc.mysql.mysql.conf.d.mysql.cnf: [modified]
modified.conffile..etc.mysql.mysql.conf.d.mysqld.cnf: [modified]
mtime.conffile..etc.apparmor.d.usr.sbin.mysqld: 2020-05-22T08:15:54.180943
mtime.conffile..etc.mysql.mysql.conf.d.mysql.cnf: 2020-05-22T08:11:39.057082
mtime.conffile..etc.mysql.mysql.conf.d.mysqld.cnf: 2020-05-22T08:10:42.401548

Revision history for this message
Thomas (t.c) wrote :
summary: - apparmor profile allow read on /proc/sys/kernel/random/boot_id
+ apparmor profile: allow read on /proc/sys/kernel/random/boot_id
Jamie Strandboge (jdstrand)
Changed in mysql-8.0 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.