missing apparmor rules

Hi,
thank you for your report and your help to make Ubuntu better!

We build with libnuma-dev which should auto-enable https://bugs.mysql.com/bug.php?id=72811.

Might I ask you to describe what effect you see by this missing (other than the Denie in the log) - just to help rating the importance and urgency.

If you happen to brute force it disabled (not recommended in the long run) via
ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
Does it give you any extra capability/feature that was missing before?

The reason I ask is that there are quite often non-fatal denies like that which e.g. do not need an SRU. While at other times they almost disables a feature like it could do to numa in this case.

I'm also noticing those on Xenial systems:

audit: type=1400 audit(1485382778.520:28): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/752/status" pid=752 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=110
audit: type=1400 audit(1485382778.520:29): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=752 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0

On the affected system, there was no noticeable impact (yet?) other than the denials, so I'd say it's low impact.

On top of the rules mentioned by Kees, adding this one would silence the other denial:

  owner @{PROC}/@{pid}/status r,

Once all 3 rules were added to a test system, no more denials were logged.

I added this to the base profile, since other processes tripped over that one. (It's in a separate bug report)

Thank you Simon and Kees,
I personally would not want it allowed in my base profile - but I'll leave that for the other bug to decide.
We certainly can consider adding it to mysql together with the others.

I feel relieved that the impact seems low, but OTOH that means it likely boils down to a community effort.
So if one wants to provide a debdiff to be reviewed and integrated, please go for it.

The addition of "@{PROC}/@{pid}/status r," is tracked in LP: #1658239.

Seeing these log entries in Bionic:

audit: type=1400 audit(1525128782.144:24): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/mysqld" pid=24878 comm="apparmor_parser"
audit: type=1400 audit(1525128782.420:25): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=24896 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1525128782.428:26): apparmor="DENIED" operation="capable" profile="/usr/sbin/mysqld" pid=24896 comm="mysqld" capability=2 capname="dac_read_search"
audit: type=1400 audit(1525128782.448:27): apparmor="DENIED" operation="capable" profile="/usr/sbin/mysqld" pid=24896 comm="mysqld" capability=2 capname="dac_read_search"
audit: type=1400 audit(1525128783.004:28): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=24930 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1525128787.392:29): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25112 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1525128792.144:30): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/mysqld" pid=25238 comm="apparmor_parser"
audit: type=1400 audit(1525128797.052:31): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25462 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1525128797.272:32): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25475 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=106 ouid=0

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1532696557.378:89): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/2192/status" pid=2192 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=112 ouid=112
type=AVC msg=audit(1532696557.378:90): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/2192/status" pid=2192 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=112 ouid=112

@afunix, was this a fresh xenial 16.04.5 install, or an upgrade from a previous release?

Can you list the mysql and apparmor packages you have installed?

Confirmed I also see this on bionic.

And also still present in disco:
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.527:358): apparmor="DENIED" operation="open" namespace="root//lxd-disco-mysql_<var-lib-lxd>" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=2842 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=165536 ouid=0
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.535:359): apparmor="DENIED" operation="capable" namespace="root//lxd-disco-mysql_<var-lib-lxd>" profile="/usr/sbin/mysqld" pid=2842 comm="mysqld" capability=2 capname="dac_read_search"
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.547:360): apparmor="DENIED" operation="open" namespace="root//lxd-disco-mysql_<var-lib-lxd>" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=2846 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=165646 ouid=0

also confirming on:
Kernel: 4.15.0-46-generic x86_64 bits: 64 Desktop: Xfce 4.12.3 Distro: Ubuntu 18.04.2 LTS

-- Unit mysql.service has begun starting up.
mar 15 23:48:50 Work audit[25035]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25035 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
mar 15 23:48:50 Work kernel: audit: type=1400 audit(1552693730.709:94): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25035 comm="mysqld" requested_mask="r"
mar 15 23:48:50 Work audit[25035]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/mysqld" pid=25035 comm="mysqld" capability=2 capname="dac_read_search"
mar 15 23:48:50 Work kernel: audit: type=1400 audit(1552693730.717:95): apparmor="DENIED" operation="capable" profile="/usr/sbin/mysqld" pid=25035 comm="mysqld" capability=2 capname="dac_read_search"
mar 15 23:48:50 Work audit[25037]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25037 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
mar 15 23:48:50 Work kernel: audit: type=1400 audit(1552693730.729:96): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25037 comm="mysqld" requested_mask="r"
mar 15 23:48:50 Work systemd[1]: Started MySQL Community Server.

in my case, to have a clean MySQL start, had to do this:

sudo nano /etc/apparmor.d/usr.sbin.mysqld
# add
  capability dac_read_search,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/node*/meminfo r,
  /sys/devices/system/node/*/* r,
  /sys/devices/system/node/* r,

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld
service mysql restart