mythtv schedules broken due apparmor mysql profile

Bug #615177 reported by Thomas Templin on 2010-08-09
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Jamie Strandboge
mysql-5.1 (Ubuntu)

Bug Description

Binary package hint: apparmor

Release: 10.10
apparmor: 2.5.1~pre1393-0ubuntu2
mythtv: 0.23.1+fixes25586-0ubuntu0+mythbuntu2
mysql-server: 5.1.49-1ubuntu2
mysql-client: 5.1.49-1ubuntu2

Old schedules are not performed anymore.
New schedules don't show up in mythfrontend.
But they appear in mythweb.
Nevertheless theese schedules have no effect, mythtv doesn't record anything.

Workaround, stop apparmor:
  sudo service apparmor stop

Schedules show up in mythfrontend again and are performed as expected

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: apparmor 2.5.1~pre1393-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.35-14.20-generic 2.6.35
Uname: Linux 2.6.35-14-generic i686
NonfreeKernelModules: nvidia
 Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set.
 apparmor module is loaded.
Architecture: i386
Date: Mon Aug 9 02:36:58 2010
 PATH=(custom, user)
SourcePackage: apparmor

Related branches

Thomas Templin (coastgnu) wrote :
Jamie Strandboge (jdstrand) wrote :

Thomas, can you adjust these lines in /etc/apparmor.d/abstractions/user-tmp:
  owner /var/tmp/ rw,
  owner /tmp/ rw,

to be:
  /var/tmp/ rw,
  /tmp/ rw,

Then do:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.mysqld

Then restart apparmor then mysql. Rebooting would be easiest (but make sure mysqld is still confined with 'sudo aa-status').

Please report back. I also recommend The abstraction is clearly too strict and will be fixed in the apparmor package, but after making the change an adjustment may still be needed for mysql.

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
status: New → In Progress
Changed in mysql-5.1 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1~pre1393-0ubuntu3

apparmor (2.5.1~pre1393-0ubuntu3) maverick; urgency=low

  * debian/patches/0002-lp615177.patch: 'owner' match in commit 1406 too
    strict for /tmp/ and /var/tmp/ (LP: #615177)
 -- Jamie Strandboge <email address hidden> Mon, 09 Aug 2010 10:17:05 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thomas, actually, if you can test after upgrading to 2.5.1~pre1393-0ubuntu3, that would be even better. Thanks!

Moin moin Jamie

2.5.1~pre1393-0ubuntu3 fixed the problem!
IMHO, bug may be closed.


Changed in mysql-5.1 (Ubuntu):
status: Incomplete → Invalid
assignee: Jamie Strandboge (jdstrand) → nobody
Martin Pitt (pitti) on 2010-12-03
Changed in mysql-5.1 (Ubuntu Lucid):
status: New → Invalid

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Lucid):
status: New → Fix Committed
tags: added: verification-needed
Jamie Strandboge (jdstrand) wrote :

Lucid not affected. This was an iteration of fix for bug #578922. Does not regress with 2.5.1-0ubuntu0.10.04.1 in lucid-proposed.

Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Invalid
tags: added: verification-done
removed: verification-needed
Changed in mysql-5.1 (Ubuntu Lucid):
status: Invalid → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    - don't ship aa-update-browser and its man page (requires
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/ apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/ use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

Changed in apparmor (Ubuntu Lucid):
status: Invalid → Fix Released

please send me apparmorfix released

please send me apparmorfix released, and i am using ubuntu 10.04

please send me apparmorfix released, and i am using ubuntu 10.04 server

Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in mysql-5.1 (Ubuntu Lucid):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers