apparmor prevents non-default mysql data directories

Bug #1095370 reported by Murray Cumming on 2013-01-02
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mysql-5.5 (Ubuntu)
Medium
Unassigned

Bug Description

Apparmor's mysql configuration prevents initialization (and maybe use) of mysqld with data in non-standard directories. This problem is easy to reproduce:

$ /usr/bin/mysql_install_db --no-defaults --user=murrayc --datadir=/home/murrayc/testmysql_data
Installing MySQL system tables...
130102 17:48:52 [Warning] Can't create test file /home/murrayc/testmysql_data/murrayc-ThinkPad-X220.lower-test
130102 17:48:52 [Warning] Can't create test file /home/murrayc/testmysql_data/murrayc-ThinkPad-X220.lower-test
ERROR: 1005 Can't create table 'db' (errno: 13)
130102 17:48:52 [ERROR] Aborting

130102 17:48:52 [Note] /usr/sbin/mysqld: Shutdown complete

This can be worked around by adding this in /etc/apparmor.d/local/usr.sbin/mysqld:

/home/murrayc/testmysql/data/ r,
/home/murrayc/testmysql/data/** rwk,

but that is not useful to application code, such as Glom, that needs to use arbitrary paths without asking the (non-technical) user to edit an apparmor file and restart apparmor.

I'm using Ubuntu Quantal

Serge Hallyn (serge-hallyn) wrote :

You can also work around this by setting the mysql profile into complain mode. Edit /etc/apparmor.d/usr.sbin.mysqld and change the line

/usr/sbin/mysqld {

to

/usr/sbin/mysqld flags=(complain) {

then reload the profile with

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld

after this I no longer get the 'Can't create test file' warnings.

However it would seem better for the application code to automatically update the /etc/apparmor.d/local/usr.sbin.mysqld file as it learns of paths. This would be similar to how libvirt uses virt-aa-helper to update policies for qemu VMs to allow access to the block devices (etc) listed in the VM specification.

Is there a better way you can think of to accomodate this use case (without giving up the protection against mysql using arbitrary paths)?

Serge Hallyn (serge-hallyn) wrote :

Marking incomplete in case there is another way we can improve this situation. If there is not, then the bug should probably be marked wontfix.

Changed in mysql-5.5 (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Murray Cumming (murrayc) wrote :

> However it would seem better for the application code to automatically update the /etc/apparmor.d/local/usr.sbin.mysqld file as it learns of paths.

I doubt that applications are meant to change that file, though I know nothing about apparmor.

If Glom did that, it would need to ask for sudo access to do that, making the application useless for ordinary users.

Launchpad Janitor (janitor) wrote :

[Expired for mysql-5.5 (Ubuntu) because there has been no activity for 60 days.]

Changed in mysql-5.5 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers