Ubuntu
mysql-5.7 package

Hard dependency on apparmor prevents install on SELinux hardened systems

  1. Xenial (16.04)
  2. Bug #1641285
Bug #1641285 reported by Bjoern Kahl
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
mysql-5.7 (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Triaged
High
Unassigned

Bug Description

(bug filled as per request on ubuntu-devel-discuss, excerpt of original report follows. Reference:
https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2016-November/017156.html)

This is on "Ubuntu 16.04.1 LTS"

Observed Problem:
-----------------

Trying to install mysql-server and thereby mysql-server-5.7 on a
16.04 LTS system (server-edition) with selinux installed, aborts with
aptitude complaining that "apparmor" is needed, but not to be
installed.

Cycling through the dependency resolution suggestions from aptitude
only offers to either uninstall selinux or not install mysql-server.

(See typescript and versions below)

Expected behaviour:
-------------------

Server / daemon software such as mysql-server should not have a hard
dependency on any specific Linux Security Module, but depend either on
none or on all in a "one of the following needed" fashion.

Steps to reproduce:
-------------------

a) indirect: just review the dependencies of mysql-server-5.7 by any
   preferred way

b) direct:

b.1) install selinux and dependencies (note: selinux-policy-ubuntu is
broken and does not install, explicitly select selinux-policy-default
while requesting selinux). No need to actually activate it.

b.2) run "aptitude install mysql-server"

Appendix:
---------

a) Relevant software versions installed:
----------------------------------------

***@ubuntu:~$ dpkg-query -l $(aptitude search '~i selinux' | cut -c 4-30)
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==========================-==================-==================-=========================================================
ii libselinux1:amd64 2.4-3build2 amd64 SELinux runtime shared libraries
ii python-selinux 2.4-3build2 amd64 Python bindings to SELinux shared libraries
ii python3-selinux 2.4-3build2 amd64 Python3 bindings to SELinux shared libraries
ii selinux 1:0.11 all Security-Enhanced Linux runtime support
ii selinux-basics 0.5.2 all SELinux basic support
ii selinux-policy-default 2:2.20140421-9 all Strict and Targeted variants of the SELinux policy
ii selinux-policy-dev 2:2.20140421-9 all Headers from the SELinux reference policy for building mo
ii selinux-policy-src 2:2.20140421-9 all Source of the SELinux reference policy for customization
ii selinux-utils 2.4-3build2 amd64 SELinux utility programs
***@ubuntu:~$ apt-cache policy selinux mysql-server-5.7 apparmor
selinux:
  Installed: 1:0.11
  Candidate: 1:0.11
  Version table:
 *** 1:0.11 500
        500 http://de.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        500 http://de.archive.ubuntu.com/ubuntu xenial/universe i386 Packages
        100 /var/lib/dpkg/status
mysql-server-5.7:
  Installed: (none)
  Candidate: 5.7.16-0ubuntu0.16.04.1
  Version table:
     5.7.16-0ubuntu0.16.04.1 500
        500 http://de.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
     5.7.11-0ubuntu6 500
        500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
apparmor:
  Installed: (none)
  Candidate: 2.10.95-0ubuntu2.5
  Version table:
     2.10.95-0ubuntu2.5 500
        500 http://de.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
     2.10.95-0ubuntu2 500
        500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

b) Typescript of failed attempt
-------------------------------

root@ubuntu ~ # se_aptitude --without-recommends install mysql-server
Authenticating ***.
Password:
The following NEW packages will be installed:
  apparmor{a} libapparmor-perl{a} libevent-core-2.0-5{a} mysql-client-5.7{a} mysql-client-core-5.7{a} mysql-common{a}
  mysql-server mysql-server-5.7{a} mysql-server-core-5.7{a}
The following packages are RECOMMENDED but will NOT be installed:
  libhtml-template-perl
0 packages upgraded, 9 newly installed, 0 to remove and 8 not upgraded.
Need to get 18.7 MB of archives. After unpacking 162 MB will be used.
The following packages have unmet dependencies:
 selinux : Conflicts: apparmor but 2.10.95-0ubuntu2.5 is to be installed.
The following actions will resolve these dependencies:

     Remove the following packages:
1) selinux

Accept this solution? [Y/n/q/?] n
The following actions will resolve these dependencies:

     Keep the following packages at their current version:
1) apparmor [Not Installed]
2) mysql-server [Not Installed]
3) mysql-server-5.7 [Not Installed]

Accept this solution? [Y/n/q/?] n

*** No more solutions available ***

The following actions will resolve these dependencies:

     Keep the following packages at their current version:
1) apparmor [Not Installed]
2) mysql-server [Not Installed]
3) mysql-server-5.7 [Not Installed]

Accept this solution? [Y/n/q/?] q
Abandoning all efforts to resolve these dependencies.
Abort.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for the report. I'll supply a patch tomorrow.

Changed in mysql-5.7 (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Robie Basak (racb) wrote :

This was fixed in 5.7.15-0ubuntu1 and Yakkety was released with 5.7.15-0ubuntu2, so this confirms that Yakkety was never released with this bug and that it affects Xenial only.

Changed in mysql-5.7 (Ubuntu):
status: New → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

Sorry this isn't fixed in Xenial yet. When attempting to fix it, I tried upgrading from Trusty to Xenial without apparmor (to test the upgrade ordering) and ran into other, more complex issues. I need to investigate this further and fix those first, but it is going to take far longer than I originally expected.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.