AppArmor profile needs update

Bug #880339 reported by Jürgen
38
This bug affects 6 people
Affects Status Importance Assigned to Milestone
mysql-5.5 (Ubuntu)
Medium
Unassigned
Oneiric
Medium
Unassigned
Precise
Medium
Unassigned

Bug Description

Bug​ #810270 https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/810270 told me to report a new bug, so here it is.
I'm affraid the apparmor bug is not fixed yet for mysql Ver 14.14 Distrib 5.1.58, for debian-linux-gnu (x86_64). http://penguindroppings.wordpress.com/2009/07/07/should-i-disable-apparmor/ was my help to temporary disable the profile for mysql to get things working again:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/usr.sbin.mysqld
sudo service mysql start
mysql start/running, process 3024

Before doing this, I got this from dmesg:
type=1400 audit(1319135491.751:5641): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=2704 comm="apparmor_parser"
[84848.322283] type=1400 audit(1319135491.915:5642): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/run/mysqld/mysqld.sock" pid=2708 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=116 ouid=116
[84853.637467] init: mysql main process (2708) terminated with status 1
[84853.637505] init: mysql main process ended, respawning

description: updated
Dave Walker (davewalker)
Changed in mysql-5.1 (Ubuntu Precise):
milestone: none → precise-alpha-1
Changed in mysql-5.1 (Ubuntu Oneiric):
milestone: none → oneiric-updates
importance: Undecided → Medium
Changed in mysql-5.1 (Ubuntu Precise):
importance: Undecided → Medium
Dave Walker (davewalker)
Changed in mysql-5.1 (Ubuntu Precise):
assignee: nobody → Andres Rodriguez (andreserl)
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Hi Jurgen,

Thank you for taking the time to report bugs and trying to make Ubuntu Server better.

Unfortunately, I have been unable to reproduce this bug report in oneiric. I have installed mysql-server in a clean ubuntu installation and I have not received the apparmor errors and mysql server is working as expected.

Logs of apparmor show:

Nov 10 13:12:04 ***** kernel: [11190.491403] type=1400 audit(1320948724.601:31): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=1056 comm="apparmor_parser"
Nov 10 13:12:04 ***** kernel: [11190.518857] type=1400 audit(1320948724.629:32): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=1087 comm="apparmor_parser"

Are you still experiencing this issue?

For now, I'll mark this bug as incomplete until further confirmation of the bug report is received.

Changed in mysql-5.1 (Ubuntu Oneiric):
status: New → Incomplete
Changed in mysql-5.1 (Ubuntu Precise):
status: New → Incomplete
Revision history for this message
Jürgen (jurgen-depicker) wrote :

Funny, because I did a clean install too. I cannot give you more info then what I gave you before, as far as I know.
 Presently, apparmor is disabled on mysql. Anything more I can do for you?

Revision history for this message
Andres Rodriguez (andreserl) wrote :
Download full text (4.9 KiB)

Hi Jurgen,

Have you installed any databases in a different location than the default one? Cause I've seen issues like yours but only when changing the location of the databases. Other than that, I have re-tested this in another clean install without any issues. Could you please attach the apparmor profile file?

Install log:

roaksoax@pursue:~$ sudo apt-get install mysql-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libdbd-mysql-perl mysql-client-5.1 mysql-client-core-5.1 mysql-server-5.1 mysql-server-core-5.1
Suggested packages:
  tinyca
The following NEW packages will be installed:
  libdbd-mysql-perl mysql-client-5.1 mysql-client-core-5.1 mysql-server mysql-server-5.1 mysql-server-core-5.1
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/20.9 MB of archives.
After this operation, 53.6 MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Preconfiguring packages ...
Selecting previously deselected package libdbd-mysql-perl.
(Reading database ... 232434 files and directories currently installed.)
Unpacking libdbd-mysql-perl (from .../libdbd-mysql-perl_4.019-1_amd64.deb) ...
Selecting previously deselected package mysql-client-core-5.1.
Unpacking mysql-client-core-5.1 (from .../mysql-client-core-5.1_5.1.58-1ubuntu1_amd64.deb) ...
Selecting previously deselected package mysql-client-5.1.
Unpacking mysql-client-5.1 (from .../mysql-client-5.1_5.1.58-1ubuntu1_amd64.deb) ...
Selecting previously deselected package mysql-server-core-5.1.
Unpacking mysql-server-core-5.1 (from .../mysql-server-core-5.1_5.1.58-1ubuntu1_amd64.deb) ...
Selecting previously deselected package mysql-server-5.1.
Unpacking mysql-server-5.1 (from .../mysql-server-5.1_5.1.58-1ubuntu1_amd64.deb) ...
Selecting previously deselected package mysql-server.
Unpacking mysql-server (from .../mysql-server_5.1.58-1ubuntu1_all.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libdbd-mysql-perl (4.019-1) ...
Setting up mysql-client-core-5.1 (5.1.58-1ubuntu1) ...
Setting up mysql-client-5.1 (5.1.58-1ubuntu1) ...
Setting up mysql-server-core-5.1 (5.1.58-1ubuntu1) ...
Setting up mysql-server-5.1 (5.1.58-1ubuntu1) ...
mysql start/running, process 24002
Setting up mysql-server (5.1.58-1ubuntu1) ...

Syslog:

Nov 15 11:30:42 pursue mysqld[23794]:
Nov 15 11:30:42 pursue mysqld[23794]: PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
Nov 15 11:30:42 pursue mysqld[23794]: To do so, start the server, then issue the following commands:
Nov 15 11:30:42 pursue mysqld[23794]:
Nov 15 11:30:42 pursue mysqld[23794]: /usr/bin/mysqladmin -u root password 'new-password'
Nov 15 11:30:42 pursue mysqld[23794]: /usr/bin/mysqladmin -u root -h pursue password 'new-password'
Nov 15 11:30:42 pursue mysqld[23794]:
Nov 15 11:30:42 pursue mysqld[23794]: Alternatively you can run:
Nov 15 11:30:42 pursue mysqld[23794]: /usr/bin/mysql_secure_installation
Nov 15 11:30:42 pursue mysqld[23794]:
Nov 15 11:30:42 pursue mysqld[23794]: which will also give you the option of removing the test
Nov 15 11:30:42 pursu...

Read more...

Changed in mysql-5.1 (Ubuntu Oneiric):
status: Incomplete → Invalid
Changed in mysql-5.1 (Ubuntu Precise):
status: Incomplete → Invalid
Revision history for this message
Andrew Somerville (andy16666) wrote :

I have the same issue. Is there a resolution yet? I've already checked for unmerged configuration files and there are none. My dmesg contains a bunch of these:

[611629.676337] init: mysql main process (20978) terminated with status 1
[611629.676358] init: mysql main process ended, respawning
[611657.973001] init: mysql post-start process (20979) terminated with status 1
[611657.975861] type=1400 audit(1328627557.750:40441): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=21102 comm="apparmor_parser"
[611659.185792] type=1400 audit(1328627558.966:40442): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/run/mysqld/mysqld.sock" pid=21106 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=116 ouid=116

Changed in mysql-5.1 (Ubuntu Precise):
status: Invalid → Confirmed
Revision history for this message
Jürgen (jurgen-depicker) wrote :

Sorry Andres for forgetting to reply to #3, but no, I have only one database on that PC, and that's Amarok's DB, in default location. My home PC sleeps right now apparently; if you still need it, please let me know, and I'll send you my apparmor profile.

Revision history for this message
Andres Rodriguez (andreserl) wrote :

Hi guys,

I'll do another clean install and test whether a see this or not.

Cheers.

Revision history for this message
Andres Rodriguez (andreserl) wrote :

I was unable to reproduce it again, but looking into a bit more closely.

Once more data is gathered I'll provide an update.

Changed in mysql-5.1 (Ubuntu Precise):
status: Confirmed → Incomplete
Changed in mysql-5.1 (Ubuntu Precise):
milestone: precise-alpha-1 → ubuntu-12.04-beta-1
tags: added: rls-p-tracking
Martin Pitt (pitti)
Changed in mysql-5.1 (Ubuntu):
milestone: ubuntu-12.04-beta-1 → ubuntu-12.04-beta-2
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Hi Jürgen,

So I have tried to reproduce this bug again but have been unable to. However, the only thing that comes to my mind is that maybe amarok is probably installing a the datadir in a different path from the location that is usually used (./var/lib/mysql) or maybe trying to spawn its own mysql instances, and of course, apparmor prevents doing either of those.

Could you verify the settings that amarok is using for mysql, and find out whether amarok is trying to use its own instance of mysql, or installing the databases in a different location.

Cheers.

Revision history for this message
Jürgen (jurgen-depicker) wrote :

Hi Andres. It's funny, but my amarok is not using its own instance, nor storing its files elswhere:
sudo ls -alh /var/lib/mysql/
totaal 21M
drwx------ 4 mysql mysql 4.0K 2012-03-12 19:39 .
drwxr-xr-x 76 root root 4.0K 2011-10-21 22:10 ..
drwx------ 2 mysql mysql 4.0K 2012-03-10 19:07 amarokdb
-rw-r--r-- 1 root root 0 2011-10-18 19:16 debian-5.1.flag
-rw-rw---- 1 mysql mysql 10M 2012-03-12 19:38 ibdata1
-rw-rw---- 1 mysql mysql 5.0M 2012-03-12 19:39 ib_logfile0
-rw-rw---- 1 mysql mysql 5.0M 2011-10-18 19:16 ib_logfile1
drwx------ 2 mysql root 4.0K 2011-10-18 19:17 mysql
-rw-rw---- 1 root root 6 2011-10-18 19:17 mysql_upgrade_info

So I don't understand why for you it gives no problems, and for me it did.

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Jurgen, are you still affected by this? MySQL 5.1 has been removed from precise, so this would need to be re-tried with MySQL 5.5. Also the apparmor profile was actually missing from early versions of 5.5 so that may have been another issue, and has been fixed.

Please re-try w/ mysql 5.5. Redirecting to 5.5.

affects: mysql-5.1 (Ubuntu Precise) → mysql-5.5 (Ubuntu Precise)
Changed in mysql-5.5 (Ubuntu Precise):
assignee: Andres Rodriguez (andreserl) → nobody
Revision history for this message
George Kola (georgekola) wrote :

I am also seeing the exact issue on precise (12.04 built on Mar 21, 2012 -- I am using ubuntu ec2 ami ami-d032bfe0). disabling apparmor for mysql 5.5 makes it work. I can attach my.cnf if you would like it. The exact same configuration with ubuntu 11.10 (default mysql 5.1.58) works fine.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

George can you paste the output of this command after you see the denials?
$ grep denied /var/log/kern.log

Martin Pitt (pitti)
Changed in mysql-5.5 (Ubuntu Precise):
milestone: ubuntu-12.04-beta-2 → ubuntu-12.04
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

George, can you provide any more details? Precise releases in less than a month.. it would be great to make sure we don't release it with a bug in the apparmor profile. Thanks!

Revision history for this message
Ted Cabeen (ted-cabeen) wrote :

I'm getting this in precise as well. Here's the output from kern.log:

Apr 13 23:01:16 order kernel: [1654002.272316] type=1400 audit(1334383276.781:120): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/run/mysqld/mysqld.sock" pid=32364 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=112 ouid=112

I can give you more if you want, but that line repeats with timestamp changes a bunch.

Revision history for this message
Ted Cabeen (ted-cabeen) wrote :

As a followup, adding the following lines to the mysql apparmour file fixed the problem:

  /run/mysqld/mysqld.pid w,
  /run/mysqld/mysqld.sock w,

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Ted, I believe this was fixed in the mysql 5.5 packages so that on upgrade the new apparmor profile would replace the old 5.1 profile. Its possible that because you've modified the file, you didn't get the new stock 5.5 file. You should have a '.dpkg-dist' version in the same directory which has similar updates.

Can you make sure that the profile is owned by mysql-server-5.5 and not mysql-server-5.1 ?

Thanks!

Revision history for this message
Paul Gevers (paul-climbing) wrote :

Not 100% sure, but it seems quite a lot of bugs in Launchpad are causes by this bug.
E.g. see bug #982303 with additional information.

People are turning off apparmor because of this.

James Page (james-page)
Changed in mysql-5.5 (Ubuntu Precise):
milestone: ubuntu-12.04 → ubuntu-12.04.1
Changed in mysql-5.5 (Ubuntu):
milestone: ubuntu-12.04 → quantal-alpha-1
Revision history for this message
martin suc (martin-suc) wrote :

I have got into this problem after purge reinstallation of mysql server 5.5 in precise as well.
It has been working for some time until I have created new database and couple of tables I could not restart database.
I have got this error:

Jun 2 19:34:35 PCEUBU1 kernel: [38487.429346] type=1400 audit(1338662075.109:540): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=32449 comm="apparmor_parser"
Jun 2 19:34:35 PCEUBU1 kernel: [38487.435393] init: mysql main process (32453) terminated with status 1
Jun 2 19:34:35 PCEUBU1 kernel: [38487.435405] init: mysql respawning too fast, stopped

I do not have any "DENIED" within apparmor in dmesg.
I switched /usr/sbin/mysqld into complain mod and /etc/apparmor.d/usr.sbin.mysqld contains:

/usr/sbin/mysqld flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/mysql>
  #include <abstractions/winbind>

  capability dac_override,
  capability sys_resource,
  capability setgid,
  capability setuid,

  network tcp,

  /etc/hosts.allow r,
  /etc/hosts.deny r,

  /etc/mysql/*.pem r,
  /etc/mysql/conf.d/ r,
  /etc/mysql/conf.d/* r,
  /etc/mysql/*.cnf r,
  /usr/lib/mysql/plugin/ r,
  /usr/lib/mysql/plugin/*.so* mr,
  /usr/sbin/mysqld mr,
  /usr/share/mysql/** r,
  /var/log/mysql.log rw,
  /var/log/mysql.err rw,
  /var/lib/mysql/ r,
  /var/lib/mysql/** rwk,
  /var/log/mysql/ r,
  /var/log/mysql/* rw,
  /var/run/mysqld/mysqld.pid w,
  /var/run/mysqld/mysqld.sock w,
  /run/mysqld/mysqld.pid w,
  /run/mysqld/mysqld.sock w,

  /sys/devices/system/cpu/ r,

but it did not allow to start mysqld.

any sollution ? (I would not like to reinstall it again - I still would like to put my backuped databases back)

thank you,
kind regards,
M.

Revision history for this message
martin suc (martin-suc) wrote :

I am sorry - I had changed chmod 644 /etc/mysql/my.cnf to 646 - my bad.
solved

Changed in mysql-5.5 (Ubuntu):
milestone: quantal-alpha-1 → quantal-alpha-2
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

No worries martin, thanks for responding!

tags: removed: rls-p-tracking
Changed in mysql-5.5 (Ubuntu Precise):
status: Incomplete → Invalid
Changed in mysql-5.5 (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
earthmeLon (earthmelon) wrote :

RE #19 https://bugs.launchpad.net/ubuntu/+source/mysql-5.5/+bug/880339/comments/19

Are you recommending allowing any user on the system the ability to write to your my.cnf?

Revision history for this message
Hobson Lane (hobs) wrote :

After trying Jurgen's fix:

    sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
    sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/usr.sbin.mysqld
   sudo service mysql start

I still get this in syslog:

Aug 13 07:11:27 AlSSD kernel: [ 1237.394119] audit_printk_skb: 75 callbacks suppressed
Aug 13 07:11:27 AlSSD kernel: [ 1237.394121] type=1400 audit(1344867087.497:254): apparmor="STATUS" operation="profile_remove" name="/usr/sbin/mysqld" pid=5056 comm="apparmor_parser"
Aug 13 07:11:46 AlSSD kernel: [ 1256.857545] init: mysql main process (5072) terminated with status 1
Aug 13 07:11:46 AlSSD kernel: [ 1256.857610] init: mysql main process ended, respawning
Aug 13 07:11:47 AlSSD kernel: [ 1257.832408] init: mysql post-start process (5073) terminated with status 1
Aug 13 07:11:48 AlSSD kernel: [ 1257.883528] init: mysql main process (5100) terminated with status 1
Aug 13 07:11:48 AlSSD kernel: [ 1257.883593] init: mysql main process ended, respawning
Aug 13 07:11:49 AlSSD kernel: [ 1258.887523] init: mysql post-start process (5101) terminated with status 1
Aug 13 07:11:49 AlSSD kernel: [ 1258.928995] init: mysql main process (5128) terminated with status 1
Aug 13 07:11:49 AlSSD kernel: [ 1258.929059] init: mysql respawning too fast, stopped

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers