Bug #89769 Deb package is missing a line in apparmor profile
Submitted: 22 Feb 2018 14:16 Modified: 22 Mar 2018 15:49
Reporter: Santiago Acosta Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server: Packaging Severity:S2 (Serious)
Version:5.6.16-1~exp1 OS:Ubuntu (16.04.3 LTS)
Assigned to: CPU Architecture:x86 (x86_64)
Tags: apparmor-profile, debian-package

[22 Feb 2018 14:16] Santiago Acosta
Description:
When the mysql-server-5.6 package is installed into a server, the alternatives system stores a symlink the finally resolves to my.cnf.fallback.

However, apparmor reports DENIED on attempts to read the conf file on server start due to the apparmor profile not having a line such as /etc/mysql/*.cnf.fallback

AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/etc/mysql/my.cnf.fallback" pid=25961 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
audit: type=1400 audit(1519302804.305:82): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/etc/mysql/my.cnf.fallback" pid=25961 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=0

AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/etc/mysql/my.cnf.fallback" pid=25989 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1519302805.157:83): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/etc/mysql/my.cnf.fallback" pid=25989 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/etc/mysql/my.cnf.fallback" pid=25999 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1519302805.169:84): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/etc/mysql/my.cnf.fallback" pid=25999 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

How to repeat:
Use a pristine clean installation of Ubuntu Server 16.04.3

Add the following line to /etc/apt/sources.list and update package repos

deb http://archive.ubuntu.com/ubuntu trusty universe main

Install the package mysql-server-5.6 (will cause the service to start)

Check the journal for lines corresponding to the mysql daemon:
journalctl -xe -o cat

Suggested fix:
Revisit the unpacking scripts and built in apparmor profile to add the missing line
[22 Feb 2018 15:49] MySQL Verification Team
Thank you for the bug report. You filed the field version as 5.6.16-1 when the current latest released version is 5.6.39 please check. Thanks.
[26 Feb 2018 10:42] Lars Tangvald
Hi,

This is about native Ubuntu packages (mysql-server-5.6), and the apparmor setup is in packaging that's maintained in Ubuntu, so bugs in it should be reported to Ubuntu's bug tracker at https://launchpad.net/ubuntu/trusty/+source/mysql-5.6

One thing to note though is that 5.6.16~exp1 is the package that was published when Ubuntu 14.04 was first released, and may have issues that are fixed in the newest version they provide (5.6.33-0ubuntu0).

Alternately you may use the Ubuntu 14 packages we provide on repo.mysql.com. Use the instructions at https://dev.mysql.com/doc/mysql-apt-repo-quick-guide/en/#repo-qg-apt-repo-manual-setup for configuring the Trusty repo on Xenial
[23 Mar 2018 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".