Comment 6 for bug 1629203

sles (slesru) wrote :

OK, here it is

1. sudo apt-get install mariadb-server

2. /usr/sbin/mysqld {
}

3. systemctl reload apparmor

4. systemctl start mysql

5. sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile: /usr/sbin/mysqld
Path: /etc/ld.so.cache
Mode: r
Severity: 1

  1 - #include <abstractions/base>
  2 - #include <abstractions/evince>
  3 - #include <abstractions/gnome>
  4 - #include <abstractions/kde>
  5 - #include <abstractions/lightdm>
  6 - #include <abstractions/ubuntu-browsers.d/firefox>
  7 - #include <abstractions/ubuntu-browsers.d/kde>
  8 - #include <abstractions/ubuntu-browsers.d/mailto>
  9 - #include <abstractions/ubuntu-gnome-terminal>
  10 - #include <abstractions/ubuntu-konsole>
  11 - #include <abstractions/ubuntu-unity7-base>
 [12 - /etc/ld.so.cache]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore

Profile: /usr/sbin/mysqld
Path: /etc/ld.so.cache
Mode: r
Severity: 1

 [1 - #include <abstractions/base>]
  2 - #include <abstractions/evince>
  3 - #include <abstractions/gnome>
  4 - #include <abstractions/kde>
  5 - #include <abstractions/lightdm>
  6 - #include <abstractions/ubuntu-browsers.d/firefox>
  7 - #include <abstractions/ubuntu-browsers.d/kde>
  8 - #include <abstractions/ubuntu-browsers.d/mailto>
  9 - #include <abstractions/ubuntu-gnome-terminal>
  10 - #include <abstractions/ubuntu-konsole>
  11 - #include <abstractions/ubuntu-unity7-base>
  12 - /etc/ld.so.cache
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
Adding #include <abstractions/base> to profile.

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /usr/sbin/mysqld]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
Writing updated profile for /usr/sbin/mysqld.

6.
sudo systemctl reload apparmor
Job for apparmor.service failed because the control process exited with error code. See "systemctl status apparmor.service" and "journalctl -xe" for details.

cat usr.sbin.mysqld
# Last Modified: Sun Oct 2 18:04:36 2016
# This file is intensionally empty to disable apparmor by default for newer
# versions of MariaDB, while providing seamless upgrade from older versions
# and from mysql, where apparmor is used.
#
# By default, we do not want to have any apparmor profile for the MariaDB
# server. It does not provide much useful functionality/security, and causes
# several problems for users who often are not even aware that apparmor
# exists and runs on their system.
#
# Users can modify and maintain their own profile, and in this case it will
# be used.
#
# When upgrading from previous version, users who modified the profile
# will be promptet to keep or discard it, while for default installs
# we will automatically disable the profile.

/usr/sbin/mysqld {
  #include <abstractions/base>

}

If
>In theory, the tunables/global include should always be added
it is not added by aa-logprof...