Ubuntu
mysql-5.5 package

cannot create socket file in /run/mysql because of apparmor profile

Bug #917542 reported by Clint Byrum
18
This bug affects 10 people
Affects Status Importance Assigned to Milestone
mysql-5.5 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

/usr/sbin/mysqld {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/mysql>
  #include <abstractions/winbind>

  capability dac_override,
  capability sys_resource,
  capability setgid,
  capability setuid,

  network tcp,

  /etc/hosts.allow r,
  /etc/hosts.deny r,

  /etc/mysql/*.pem r,
  /etc/mysql/conf.d/ r,
  /etc/mysql/conf.d/* r,
  /etc/mysql/*.cnf r,
  /usr/lib/mysql/plugin/ r,
  /usr/lib/mysql/plugin/*.so* mr,
  /usr/sbin/mysqld mr,
  /usr/share/mysql/** r,
  /var/log/mysql.log rw,
  /var/log/mysql.err rw,
  /var/lib/mysql/ r,
  /var/lib/mysql/** rwk,
  /var/log/mysql/ r,
  /var/log/mysql/* rw,
  /var/run/mysqld/mysqld.pid w,
  /var/run/mysqld/mysqld.sock w,

  /sys/devices/system/cpu/ r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.mysqld>
}

However, /var/run is a symlink to /run, so this will cause failures:

Jan 17 08:47:52 ip-10-80-154-252 kernel: [1026921.882718] type=1400 audit(1326790072.881:55): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/run/mysqld/mysqld.sock" pid=3607 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=106 ouid=106

Since the path is still specified as /var/run, and the package may be installed and started during a lucid upgrade, I think both dirs should be listed in the apparmor profile for 12.04 (it can be reduced to just /run for all subsequent releases).

Revision history for this message
ray (arkibott) wrote :

possilby unrelated issue:
my mysqld does not start anymore but i see a different output in the dmesg log, while the mysql logfiles hold no data (0 byte size) or are old.. so additional to not being functional it does not log useful things itself. why doesn't it log an error to error.log if it fails to start up?

[ 5808.819908] type=1400 audit(1329231052.884:214): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=21353 comm="apparmor_parser"
[ 5808.852044] init: mysql main process (21357) terminated with status 1
[ 5808.852082] init: mysql main process ended, respawning
[ 5839.091120] init: mysql post-start process (21358) terminated with status 1
[ 5839.119371] type=1400 audit(1329231083.184:215): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=21567 comm="apparmor_parser"
[ 5839.165561] init: mysql main process (21571) terminated with status 1
[ 5839.165599] init: mysql main process ended, respawning
[ 5869.402467] init: mysql post-start process (21572) terminated with status 1

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.5 - 5.5.20-0ubuntu1

---------------
mysql-5.5 (5.5.20-0ubuntu1) precise; urgency=low

  * New upstream release.
  * d/mysql-server-5.5.mysql.upstart: Fix stop on to make sure mysql is
    fully stopped before shutdown commences. (LP: #688541) Also simplify
    start on as it is redundant.
  * d/control: Depend on upstart version which has apparmor profile load
    script to prevent failure on upgrade from lucid to precise.
    (LP: #907465)
  * d/apparmor-profile: need to allow /run since that is the true path
    of /var/run files. (LP: #917542)
  * d/control: mysql-server-5.5 has files in it that used to be owned
    by libmysqlclient-dev, so it must break/replace it. (LP: #912487)
  * d/rules, d/control: 5.5.20 Fixes segfault on tests with gcc 4.6,
    change compiler back to system default.
  * d/rules: Turn off embedded libedit/readline.(Closes: #659566)
 -- Clint Byrum <email address hidden> Tue, 14 Feb 2012 23:59:22 -0800

Changed in mysql-5.5 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.