Ubuntu
mysql-dfsg-5.0 package

AppArmor profile included doesn't allow mysql to bind to winbind socket

Bug #306886 reported by Márcio Santos
20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-dfsg-5.0 (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Intrepid
Won't Fix
Undecided
Unassigned

Bug Description

The AppArmor profile included in MySQL Server 5, version 5.0.67-0ubuntu6 doesn't denies mysqld permissions to create socket, resulting in problems with installation of package and use of MySQL.

Details of daemon.log:

Dec 10 15:30:09 avebi01 mysqld_safe[11071]: started
Dec 10 15:30:09 avebi01 mysqld[11074]: 081210 15:30:09 InnoDB: Started; log sequence number 0 43655
Dec 10 15:30:09 avebi01 mysqld[11074]: 081210 15:30:09 [ERROR] Can't create IP socket: Permission denied
Dec 10 15:30:09 avebi01 mysqld[11074]: 081210 15:30:09 [ERROR] Aborting
Dec 10 15:30:09 avebi01 mysqld[11074]:
Dec 10 15:30:09 avebi01 mysqld[11074]: 081210 15:30:09 InnoDB: Starting shutdown...
Dec 10 15:30:10 avebi01 mysqld[11074]: 081210 15:30:10 InnoDB: Shutdown completed; log sequence number 0 43655
Dec 10 15:30:10 avebi01 mysqld[11074]: 081210 15:30:10 [Note] /usr/sbin/mysqld: Shutdown complete
Dec 10 15:30:10 avebi01 mysqld[11074]:
Dec 10 15:30:10 avebi01 mysqld_safe[11095]: ended

Disabling the profile or disabling apparmor solves the problem.

Details of system:

Description: Ubuntu 8.10
Release: 8.10

mysql-server-5.0:
  Installed: 5.0.67-0ubuntu6
  Candidate: 5.0.67-0ubuntu6
  Version table:
 *** 5.0.67-0ubuntu6 0
        500 http://archive.ubuntu.com intrepid/main Packages
        100 /var/lib/dpkg/status

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 306886] [NEW] AppArmor profile included doesn't allow mysql to bind to socket

Hi,

On Wed, Dec 10, 2008 at 03:42:51PM -0000, Márcio Santos wrote:
> The AppArmor profile included in MySQL Server 5, version 5.0.67-0ubuntu6
> doesn't denies mysqld permissions to create socket, resulting in
> problems with installation of package and use of MySQL.
>

Could you post the AppArmor messages from the kernel? You can find them
in dmesg or in /var/log/kern.log.

  status incomplete

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Changed in mysql-dfsg-5.0:
status: New → Incomplete
Revision history for this message
Márcio Santos (marcio.santos) wrote : Re: AppArmor profile included doesn't allow mysql to bind to socket
Download full text (10.7 KiB)

It's a little messy and includes entries after i disabled AppArmor for MySQL.

If you want i can purge MySQL and reinstall and give you a clean kern.log...

Dec 10 13:15:20 avebi01 kernel: [ 40.551814] type=1503 audit(1228914920.026:3): operation="socket_create" family="inet" sock_type="stream" protocol=0 pid=5116 profile="/usr/sbin/mysqld"
Dec 10 14:48:16 avebi01 kernel: [ 5617.384400] type=1503 audit(1228920496.804:4): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/samba/winbindd_privileged/pipe" pid=6389 profile="/usr/sbin/mysqld"
Dec 10 14:48:16 avebi01 kernel: [ 5617.494100] type=1503 audit(1228920496.916:5): operation="socket_create" family="inet" sock_type="stream" protocol=0 pid=6389 profile="/usr/sbin/mysqld"
Dec 10 15:03:21 avebi01 kernel: [ 6521.866269] type=1503 audit(1228921401.284:6): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/samba/winbindd_privileged/pipe" pid=6814 profile="/usr/sbin/mysqld"
Dec 10 15:03:21 avebi01 kernel: [ 6521.961477] type=1503 audit(1228921401.386:7): operation="socket_create" family="inet" sock_type="stream" protocol=0 pid=6814 profile="/usr/sbin/mysqld"
Dec 10 15:05:06 avebi01 kernel: [ 6627.177932] type=1503 audit(1228921506.596:8): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/samba/winbindd_privileged/pipe" pid=6930 profile="/usr/sbin/mysqld"
Dec 10 15:05:06 avebi01 kernel: [ 6627.282747] type=1503 audit(1228921506.706:9): operation="socket_create" family="inet" sock_type="stream" protocol=0 pid=6930 profile="/usr/sbin/mysqld"
Dec 10 15:06:39 avebi01 kernel: [ 6720.360944] type=1503 audit(1228921599.777:10): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/samba/winbindd_privileged/pipe" pid=7216 profile="/usr/sbin/mysqld"
Dec 10 15:06:39 avebi01 kernel: [ 6720.464183] type=1503 audit(1228921599.887:11): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/samba/winbindd_privileged/pipe" pid=7223 profile="/usr/sbin/mysqld"
Dec 10 15:06:40 avebi01 kernel: [ 6720.831695] type=1503 audit(1228921600.256:12): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/samba/winbindd_privileged/pipe" pid=7239 profile="/usr/sbin/mysqld"
Dec 10 15:06:40 avebi01 kernel: [ 6721.015246] type=1503 audit(1228921600.434:13): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/samba/winbindd_privileged/pipe" pid=7250 profile="/usr/sbin/mysqld"
Dec 10 15:06:40 avebi01 kernel: [ 6721.052875] type=1503 audit(1228921600.474:14): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/samba/winbindd_privileged/pipe" pid=7257 profile="/usr/sbin/mysqld"
Dec 10 15:06:40 avebi01 kernel: [ 6721.090154] type=1503 audit(1228921600.514:15): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/var/run/samba/winbindd_privileged/pipe" pid=7264 profile="/usr/sbin/mysqld"
Dec 10 15:06:40 avebi01 kernel: [ 6721.404047] type=1505 audit(1228921600.826:16): operation="profile_replace" name=...

Revision history for this message
Tomas Cassidy (tomas-cassidy) wrote :

I can confirm this bug occuring with mysql-server-5.0 and apparmor on Ubuntu 8.04.2. When apparmor was installed, running '/etc/init.d/mysql start' would give errors. After uninstalling apparmor, mysqld started successfully.

Revision history for this message
WangLu (coolwanglu) wrote :

confirmed on 9.04 alpha 4 (with updates till today)

also mention that I'm running on a 2.6.27-11 kernel, since my Intel graphics card is not well supported.

mysqld would run well after removing apparmor

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Rather than removing apparmor, try adding to mysql's apparmor profile in /etc/apparmor.d/usr.sbin.mysqld:

  /var/run/samba/winbindd_privileged/pipe rw,

Then do:
$ sudo /etc/init.d/apparmor force-reload
$ sudo /etc/init.d/mysql stop
$ sudo /etc/init.d/mysql start

Please report back if this fixes your problem. If not, please post the Apparmor messages from /var/log/kern.log.

Revision history for this message
Iván Campaña (ivan-campana) wrote :

I have the same problem on Ubuntu 8.10, added the extra option to mysql apparmor profile, but still the problem persists if I deactivate apparmor mysql gets to starts, otherwise it fails

The only message that appears during the restart of mysql is the following:

Mar 19 14:22:55 zeus kernel: [15026.996883] type=1503 audit(1237490575.367:92): operation="socket_create" family="inet" sock_type="stream" protocol=0 pid=21713 profile="/usr/sbin/mysqld"

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ivan, can you also add the following to your apparmor profile, and restart it:

network inet stream,

Changed in mysql-dfsg-5.0:
assignee: nobody → jdstrand
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.0 - 5.1.30really5.0.75-0ubuntu9

---------------
mysql-dfsg-5.0 (5.1.30really5.0.75-0ubuntu9) jaunty; urgency=low

  * debian/apparmor-profile: add 'network tcp' and access to
    /var/run/samba/winbindd_privileged/pipe (LP: #306886)
  * debian/apparmor-profile: add '/var/log/mysql.log rw' and
    '/var/log/mysql.err rw' (LP: #348532)

 -- Jamie Strandboge <email address hidden> Wed, 25 Mar 2009 11:47:10 -0500

Changed in mysql-dfsg-5.0:
status: Incomplete → Fix Released
Jamie Strandboge (jdstrand)
Changed in mysql-dfsg-5.0:
status: New → Triaged
Revision history for this message
Chuck Short (zulcss) wrote :

Since Intrepid has reached EOL I am going to close this SRU request.

regards
chuck

Changed in mysql-dfsg-5.0 (Ubuntu Intrepid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.