missing apparmor access rule

Does this failure affect mysqld behavior, except from logging this line to syslog ?

No, not that I have noticed. Mysqld seems to access /proc/stat if /sys/devices/system/cpu/ is not accessible.

Can you add the following to your /etc/apparmor.d/usr.sbin.mysqld:

deny /sys/devices/system/cpu/ r,

Regards
chuck

I get long delays in my boot process just around this error:

Oct 7 09:37:11 maxwell kernel: [ 13.893332] input: HDA Digital PCBeep as /devices/pci0000:00/0000:00:1b.0/input/input8
Oct 7 09:37:11 maxwell kernel: [ 15.370647] __ratelimit: 9 callbacks suppressed
Oct 7 09:37:11 maxwell kernel: [ 15.370658] type=1505 audit(1254933431.270:13): operation="profile_replace" pid=821 name=/usr/share/gdm/guest-session/Xsession
Oct 7 09:37:11 maxwell kernel: [ 15.375305] type=1505 audit(1254933431.274:14): operation="profile_replace" pid=822 name=/sbin/dhclient3
Oct 7 09:37:11 maxwell kernel: [ 15.376137] type=1505 audit(1254933431.278:15): operation="profile_replace" pid=822 name=/usr/lib/NetworkManager/nm-dhcp-client.action
Oct 7 09:37:11 maxwell kernel: [ 15.376627] type=1505 audit(1254933431.278:16): operation="profile_replace" pid=822 name=/usr/lib/connman/scripts/dhclient-script
Oct 7 09:37:11 maxwell kernel: [ 15.386835] type=1505 audit(1254933431.286:17): operation="profile_replace" pid=823 name=/usr/bin/evince
Oct 7 09:37:16 maxwell kernel: [ 15.398664] type=1505 audit(1254933431.298:18): operation="profile_replace" pid=823 name=/usr/bin/evince-previewer
Oct 7 09:37:16 maxwell kernel: [ 15.405706] type=1505 audit(1254933431.306:19): operation="profile_replace" pid=823 name=/usr/bin/evince-thumbnailer
Oct 7 09:37:16 maxwell kernel: [ 15.432473] type=1505 audit(1254933431.334:20): operation="profile_replace" pid=825 name=/usr/lib/cups/backend/cups-pdf
Oct 7 09:37:16 maxwell kernel: [ 15.433545] type=1505 audit(1254933431.334:21): operation="profile_replace" pid=825 name=/usr/sbin/cupsd
Oct 7 09:37:16 maxwell kernel: [ 15.438651] type=1505 audit(1254933431.338:22): operation="profile_replace" pid=826 name=/usr/sbin/mysqld
Oct 7 09:37:19 maxwell kernel: [ 20.729191] tg3 0000:02:00.0: PME# disabled
Oct 7 09:37:19 maxwell kernel: [ 20.729470] alloc irq_desc for 29 on node -1
Oct 7 09:37:19 maxwell kernel: [ 20.729479] alloc kstat_irqs on node -1
Oct 7 09:37:19 maxwell kernel: [ 20.729560] tg3 0000:02:00.0: irq 29 for MSI/MSI-X
Oct 7 09:37:19 maxwell kernel: [ 20.791928] ADDRCONF(NETDEV_UP): eth0: link is not ready
Oct 7 09:37:19 maxwell kernel: [ 22.989336] __ratelimit: 3 callbacks suppressed
Oct 7 09:37:19 maxwell kernel: [ 22.989345] type=1503 audit(1254933438.890:24): operation="open" pid=1126 parent=1125 profile="/usr/sbin/mysqld" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/sys/devices/system/cpu/"
Oct 7 09:37:49 maxwell kernel: [ 23.832901] type=1503 audit(1254933439.734:25): operation="open" pid=1149 parent=1148 profile="/usr/sbin/mysqld" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/sys/devices/system/cpu/"
Oct 7 09:37:49 maxwell kernel: [ 24.428913] type=1503 audit(1254933440.330:26): operation="open" pid=1264 parent=1156 profile="/usr/sbin/mysqld" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/sys/devices/system/cpu/"
Oct 7 09:37:52 maxwell kernel: [ 53.437479] type=1503 audit(1254933469.339:27): operation="open" pid=1270 parent=1269 profile="/usr/sbin/mysqld" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/sys/devi...

Using

deny /sys/devices/system/cpu/ r,

seems to just suppress the message but makes no difference to functionality (access to /sys/devices/system/cpu/ is denied and /proc/stat accessed instead).

Also tried to add the deny /sys/devices/system/cpu/ r, rule
Started apparmor OK
Starting mysql - Not OK

This is my daemon.log

mysqld_safe: Starting mysqld daemon with databases from /home/mysqldata
Oct 30 10:09:44 trond-laptop mysqld: 091030 10:09:44 [Note] Plugin 'FEDERATED' is disabled.
Oct 30 10:09:44 trond-laptop mysqld: /usr/sbin/mysqld: Table 'mysql.plugin' doesn't exist
Oct 30 10:09:44 trond-laptop mysqld: 091030 10:09:44 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
Oct 30 10:09:44 trond-laptop mysqld: 091030 10:09:44 InnoDB: Started; log sequence number 0 10235864
Oct 30 10:09:44 trond-laptop mysqld: 091030 10:09:44 [ERROR] /usr/sbin/mysqld: unknown option '--skip-bdb'
Oct 30 10:09:44 trond-laptop mysqld: 091030 10:09:44 [ERROR] Aborting
Oct 30 10:09:44 trond-laptop mysqld:
Oct 30 10:09:44 trond-laptop mysqld: 091030 10:09:44 InnoDB: Starting shutdown...
Oct 30 10:09:45 trond-laptop mysqld: 091030 10:09:45 InnoDB: Shutdown completed; log sequence number 0 10235864
Oct 30 10:09:45 trond-laptop mysqld: 091030 10:09:45 [Warning] Forcing shutdown of 1 plugins
Oct 30 10:09:45 trond-laptop mysqld: 091030 10:09:45 [Note] /usr/sbin/mysqld: Shutdown complete
Oct 30 10:09:45 trond-laptop mysqld:
Oct 30 10:09:45 trond-laptop mysqld_safe: mysqld from pid file /var/run/mysqld/mysqld.pid ended
Oct 30 10:09:58 trond-laptop /etc/init.d/mysql[23033]: 0 processes alive and '/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf ping' resulted in
Oct 30 10:09:58 trond-laptop /etc/init.d/mysql[23033]: #007/usr/bin/mysqladmin: connect to server at 'localhost' failed
Oct 30 10:09:58 trond-laptop /etc/init.d/mysql[23033]: error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'
Oct 30 10:09:58 trond-laptop /etc/init.d/mysql[23033]: Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!
Oct 30 10:09:58 trond-laptop /etc/init.d/mysql[23033]:

----
I have tried to run the mysql_upgrade command, but it won't run as the server is not running.

This is my kern.log:
[10360.109659] type=1503 audit(1256893798.480:502): operation="open" pid=23026 parent=23025 profile="/usr/sbin/mysqld" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/sys/devices/system/cpu/"

What worked for me was to mark out skip-bdb in the my.cnf file

I have attached the my.cnf file

Note to above post: The solution was found in this post: http://<email address hidden>/msg189569.html

I don't even have skip-bdb in /etc/mysql/my.cnf, so commenting it out isn't the solution. Using mysql 5.3.37 probided by mysql-server-5.1 on Ubuntu 9.10 / Karmic.

Made changes to apparmor, still mysql will not start.
Also did not have skip-bdb in my.cnf.
After restarting apparmor, I did notice that a few error messages disappeared, and after deleting ibdata1 and ib_logfile0 and ib_logfile1 at least I am getting completely different errors now, so there may be something to this.

To everyone having problems with not starting mysql daemons:
This bug (or better: omission) does *not* prevent mysql from starting - it just produces a message in the syslog about a denied file access.

Raising importance, between this bug and Bug #448656 and no telling how many others, this is affecting a number of users.

I have experienced mysql failing to start for the last 2 months, after an Ubuntu upgrade, and this failure to start could be worked around by stopping apparmor. I have now added the line proposed in the original posting, and mysql now appears to start satisfactorily when apparmor is running. My experience therefore contradicts that of Juri Haberland in msg #13. In my experience this bug is a serious problem and the proposed fix works.

Can you double-check that
a) really this line makes mysql start again (just remove that line, restart apparmor and try to restart mysql)
b) you really started mysql *after* apparmor

I just double-checked this issue on my system and mysql 5.1 will start without problems with the proposed line missing.

This bug was fixed in the package mysql-dfsg-5.1 - 5.1.41-3ubuntu6

---------------
mysql-dfsg-5.1 (5.1.41-3ubuntu6) lucid; urgency=low

  * debian/apparmor-profile: Upate apparmor profile. Get rid of annoying warning
    when starting mysql. (LP: #444479)
 -- Chuck Short <email address hidden> Thu, 18 Feb 2010 13:54:43 -0500

I'm using ubuntu 9.10 and was having those messages on /var/log/syslog when trying to stop mysql.
Added the line "/sys/devices/system/cpu/ r," to the end of "directories listing" (before the last "}") of /etc/apparmor.d/usr.sbin.mysqld and now the messages stopped... but i can't stop mysql yet. When I run "$ sudo service mysql stop" or "$/etc/init.d/mysqld stop" it fails and doesnt print nothing to syslog, dmesg or mysql logs.

I am also not able to start the mysql process successfully, even after adding the line "/sys/devices/system/cpu/ r," to /etc/apparmor.d/usr.sbin.mysqld. Did an update of packages apt-get install mysql-client mysql-client-5.1 mysql-client-core-5.1 on ubuntu lucid. After this, when starting mysql with upstart script: service mysql start it just hangs, ps -e | grep my shows no processes. This happens when apparmor is running and when it is not, though settings (checked from a working mysql database server) seem to be correct. Something in the context/apparmor/security must be missing... any ideas? Could I remove profiles from apparmor to see if this is related without risking a server reboot?

Apparmor status shows:

/etc/init.d/apparmor status
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
   /sbin/dhclient3
   /usr/bin/freshclam
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode :
   /usr/bin/freshclam (1706)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

This solved my problem on Ubuntu Lucid:

apt-get remove --purge mysql-server mysql-common mysql-client

apt-get install mysql-server

After purging and installing the packages, mysql started fine. Seems it was mysql-related.

Stopping apparmor then restarting mysql then stopping mysql and starting apparmor and starting mysql while apparmor is started works fine over here.

Updated to 10.10.