Ubuntu
mysql-5.5 package

apparmor prevents non-default mysql data directories

Bug #1095370 reported by Murray Cumming
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mysql-5.5 (Ubuntu)
Expired
Medium
Unassigned

Bug Description

Apparmor's mysql configuration prevents initialization (and maybe use) of mysqld with data in non-standard directories. This problem is easy to reproduce:

$ /usr/bin/mysql_install_db --no-defaults --user=murrayc --datadir=/home/murrayc/testmysql_data
Installing MySQL system tables...
130102 17:48:52 [Warning] Can't create test file /home/murrayc/testmysql_data/murrayc-ThinkPad-X220.lower-test
130102 17:48:52 [Warning] Can't create test file /home/murrayc/testmysql_data/murrayc-ThinkPad-X220.lower-test
ERROR: 1005 Can't create table 'db' (errno: 13)
130102 17:48:52 [ERROR] Aborting

130102 17:48:52 [Note] /usr/sbin/mysqld: Shutdown complete

This can be worked around by adding this in /etc/apparmor.d/local/usr.sbin/mysqld:

/home/murrayc/testmysql/data/ r,
/home/murrayc/testmysql/data/** rwk,

but that is not useful to application code, such as Glom, that needs to use arbitrary paths without asking the (non-technical) user to edit an apparmor file and restart apparmor.

I'm using Ubuntu Quantal

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

You can also work around this by setting the mysql profile into complain mode. Edit /etc/apparmor.d/usr.sbin.mysqld and change the line

/usr/sbin/mysqld {

to

/usr/sbin/mysqld flags=(complain) {

then reload the profile with

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld

after this I no longer get the 'Can't create test file' warnings.

However it would seem better for the application code to automatically update the /etc/apparmor.d/local/usr.sbin.mysqld file as it learns of paths. This would be similar to how libvirt uses virt-aa-helper to update policies for qemu VMs to allow access to the block devices (etc) listed in the VM specification.

Is there a better way you can think of to accomodate this use case (without giving up the protection against mysql using arbitrary paths)?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Marking incomplete in case there is another way we can improve this situation. If there is not, then the bug should probably be marked wontfix.

Changed in mysql-5.5 (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Revision history for this message
Murray Cumming (murrayc) wrote :

> However it would seem better for the application code to automatically update the /etc/apparmor.d/local/usr.sbin.mysqld file as it learns of paths.

I doubt that applications are meant to change that file, though I know nothing about apparmor.

If Glom did that, it would need to ask for sudo access to do that, making the application useless for ordinary users.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for mysql-5.5 (Ubuntu) because there has been no activity for 60 days.]

Changed in mysql-5.5 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.