Ubuntu
mysql-5.5 package

apparmor configuration for mysqld is not complete

Bug #1641305 reported by Dmitry
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mysql-5.5 (Ubuntu)
Does Not Exist
Undecided
Unassigned
Trusty
Won't Fix
Undecided
Unassigned

Bug Description

If you have /root/.my.cnf on mysql server, mysqld seems trying to read it on startup.
But shipped configuration for apparmor does not permit it:

apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/root/.my.cnf" pid=22157 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I suppose either apparmor should permit it or mysqld should not try to read it on startup.

Ubuntu 12.04.5 LTS
mysql-server 5.5.53-0ubuntu0.12.04.1

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

> I suppose either apparmor should permit it or mysqld should not try to read it on startup.

Agreed. I don't think mysqld should be trying to read that on regular daemon startup. Can you reproduce this in mysql-5.7 please, from at least on 16.04? 12.04 is quite old now, and I don't think there is any point in fixing something that is only a warning in a stable release. So this bug is only interesting for what is current today.

Revision history for this message
Dmitry (morhold) wrote : Re: [Bug 1641305] Re: apparmor configuration for mysqld is not complete

28.11.2016 15:13, Robie Basak пишет:
> Thank you for taking the time to report this bug and helping to make
> Ubuntu better.
>
>> I suppose either apparmor should permit it or mysqld should not try to
> read it on startup.
>
> Agreed. I don't think mysqld should be trying to read that on regular
> daemon startup. Can you reproduce this in mysql-5.7 please, from at
> least on 16.04? 12.04 is quite old now, and I don't think there is any
> point in fixing something that is only a warning in a stable release. So
> this bug is only interesting for what is current today.
>
 Hello!

Now I have new system and can check. It still there:

Jan 25 20:05:02 host kernel: [930789.456245] audit: type=1400
audit(1485363902.254:18): apparmor="DENIED" operation="open"
profile="/usr/sbin/mysqld" name="/root/.my.cnf" pid=26838 comm="mysqld"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

System details:

# uname -sr
Linux 4.4.0-57-generic

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

# mysqld --version
mysqld Ver 5.7.17-0ubuntu0.16.04.1 for Linux on x86_64 ((Ubuntu))

PS: please note it has UID mysqld and will not have a chance to read
root's file anyway.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mysql-5.5 (Ubuntu):
status: New → Confirmed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
while trying to clean old bugs first of all I think this bug is still valid.
But OTOH I've found that this access might pretty much be intentional:

- https://git.launchpad.net/ubuntu/+source/mysql-8.0/tree/debian/mysql-server-8.0.README.Debian?h=applied/ubuntu/jammy-devel#n76
- https://git.launchpad.net/ubuntu/+source/mysql-8.0/tree/support-files/mysql-log-rotate.in?h=applied/ubuntu/jammy-devel#n31
- https://git.launchpad.net/ubuntu/+source/mysql-8.0/tree/debian/README.Maintainer?h=applied/ubuntu/jammy-devel#n78

And therefore the fix might be to allow that access (if running as root).

@lars - nowadays I'd ask you to have a look and opinion, so I subscribed you to this one.

Lucas Kanashiro (lucaskanashiro)
Changed in mysql-5.5 (Ubuntu):
status: Confirmed → Does Not Exist
Changed in mysql-5.5 (Ubuntu Trusty):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.