apparmor prevents non-default mysql data directories
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mysql-5.5 (Ubuntu) |
Expired
|
Medium
|
Unassigned |
Bug Description
Apparmor's mysql configuration prevents initialization (and maybe use) of mysqld with data in non-standard directories. This problem is easy to reproduce:
$ /usr/bin/
Installing MySQL system tables...
130102 17:48:52 [Warning] Can't create test file /home/murrayc/
130102 17:48:52 [Warning] Can't create test file /home/murrayc/
ERROR: 1005 Can't create table 'db' (errno: 13)
130102 17:48:52 [ERROR] Aborting
130102 17:48:52 [Note] /usr/sbin/mysqld: Shutdown complete
This can be worked around by adding this in /etc/apparmor.
/home/murrayc/
/home/murrayc/
but that is not useful to application code, such as Glom, that needs to use arbitrary paths without asking the (non-technical) user to edit an apparmor file and restart apparmor.
I'm using Ubuntu Quantal
You can also work around this by setting the mysql profile into complain mode. Edit /etc/apparmor. d/usr.sbin. mysqld and change the line
/usr/sbin/mysqld {
to
/usr/sbin/mysqld flags=(complain) {
then reload the profile with
sudo apparmor_parser -r /etc/apparmor. d/usr.sbin. mysqld
after this I no longer get the 'Can't create test file' warnings.
However it would seem better for the application code to automatically update the /etc/apparmor. d/local/ usr.sbin. mysqld file as it learns of paths. This would be similar to how libvirt uses virt-aa-helper to update policies for qemu VMs to allow access to the block devices (etc) listed in the VM specification.
Is there a better way you can think of to accomodate this use case (without giving up the protection against mysql using arbitrary paths)?