Your message dated Thu, 19 Mar 2026 15:20:08 +0000
with message-id <[email protected]>
and subject line Bug#1130272: fixed in mariadb 1:11.8.6-4
has caused the Debian Bug report #1130272,
regarding mariadb-server: mariadbd AppArmor profile denies MTR accesses in
enforce mode
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130272
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mariadb-server
X-Debbugs-Cc: [email protected]
Version: 1:11.8.6-2
Severity: normal
Hello,
The shipped AppArmor profile for mariadbd denies accesses during mariadb
test runs in enforce mode.
I am not claiming that all observed MTR test failures are caused by
AppArmor. Some testcase failures appear to be unrelated. For instance,
rpl.rpl_blackhole_row_annotate currently shows a result mismatch due to
the extra "from Debian-log" string in the binlog output, which does not
look like an AppArmor permission failure.
However, the AppArmor denials are real and reproducible.
Observed denials include:
apparmor="DENIED" operation="mknod" class="file" profile="mariadbd" \
name="/usr/share/mariadb/mariadb-test/mariadb-app.lower-test" \
requested_mask="c" denied_mask="c"
apparmor="DENIED" operation="open" class="file" profile="mariadbd" \
name="/sys/block/" requested_mask="r" denied_mask="r"
For comparison, when the profile is set to complain mode, the same
accesses are logged as ALLOWED instead of DENIED.
Steps to reproduce:
1. Set up a Debian unstable VM or container and install mariadb-server
2. Set the profile to enforce mode:
aa-enforce /usr/sbin/mariadbd
3. Run an MTR testcase, for instance:
./mariadb-test-run --vardir=/var/tmp/mtrvar --force
rpl.rpl_blackhole_row_annotate
4. Inspect /var/log/audit/audit.log
Example audit log excerpts:
type=AVC msg=audit(...): apparmor="DENIED" operation="mknod"
class="file" profile="mariadbd"
name="/usr/share/mariadb/mariadb-test/mariadb-app.lower-test" pid=1049
comm="mariadbd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
type=AVC msg=audit(...): apparmor="DENIED" operation="open"
class="file" profile="mariadbd" name="/sys/block/" pid=1055
comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
This suggests that the shipped mariadbd AppArmor profile does not
currently allow at least some accesses exercised by MTR in this environment.
I am still investigating the exact impact of these denials on the
observed MTR failures.
Environment used:
* Debian unstable
* MariaDB 11.8.6-MariaDB-2
* AppArmor enabled
Cheers,
Aquila Macedo
--- End Message ---
--- Begin Message ---
Source: mariadb
Source-Version: 1:11.8.6-4
Done: Otto Kekäläinen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mariadb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Otto Kekäläinen <[email protected]> (supplier of updated mariadb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 Mar 2026 13:13:13 +0000
Source: mariadb
Architecture: source
Version: 1:11.8.6-4
Distribution: unstable
Urgency: medium
Maintainer: Debian MySQL Maintainers <[email protected]>
Changed-By: Otto Kekäläinen <[email protected]>
Closes: 1130272
Changes:
mariadb (1:11.8.6-4) unstable; urgency=medium
.
* New AppArmor for mariadbd now in 'enforce' mode. See NEWS for details.
* Additional refinement to make the AppArmor and related autopkgtest as
robust as possible:
- Add patch to have mariadb-test-run not write in
/usr/share/mariadb/mariadb-test/ to not violate the AppArmor profile
- Normalize variables 'aria-checkpoint-interval' and 'aria-recover-options'
to documented defaults as they seem to be effect in Ubuntu binaries now,
while Debian binaries seem to default to zero and empty for an unknown
reason.
- Ensure AppArmor diagnostics run even when autopkgtests fail to catch
potential situations where autopkgtests job 'upstream' violated the
AppArmor profile.
- Simplify AppArmor profile, allow 'mariadb' aliases and unify indentation.
- Extend AppArmor profile to cover all easily testable features
(Closes: #1130272).
Checksums-Sha1:
8b0d8a78bdb655a7f202342bee33d89f68a6833f 5608 mariadb_11.8.6-4.dsc
fcc76a70f102eb07193a082cd069bd438c2cf8ed 299948 mariadb_11.8.6-4.debian.tar.xz
95714f1365edabe2355b3dd26ffdf8a07552de0f 13885
mariadb_11.8.6-4_source.buildinfo
Checksums-Sha256:
d3c81cbbf04984eeb53421c98f44b13c12c93439ac13f45b97dedac03a641c8a 5608
mariadb_11.8.6-4.dsc
83213904395c04445f177cff16ecf02f0eda79911e5ef799476f6aa5a95fe336 299948
mariadb_11.8.6-4.debian.tar.xz
e6e8e7d492b93f15366dc8a961d6f91b181843ccc05ad1082126945c6831a16d 13885
mariadb_11.8.6-4_source.buildinfo
Files:
4c88730cbe9a9952dd00d35dbf4cc423 5608 database optional mariadb_11.8.6-4.dsc
f8b38ed4ab49eb58790dd8f7e8740c86 299948 database optional
mariadb_11.8.6-4.debian.tar.xz
a19a1d90ade61d72da1bd7d85d185455 13885 database optional
mariadb_11.8.6-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAmm8CQIACgkQvthEn87o
2oh42RAAsfkV3bR4XLhFY1KHW+CUTPq31+cvkAIlIjPaE894umWZOfsjSX8YKCAR
WWq+zFE3CbI0S2abZbtd+9FAT8NwOoW+0WTQWF8fSG/AnqtBl7KoZ2V2p6OjGQyc
FaVZ/8hhy7qSmBDSMknkDR0Da2JCylO9u/ZbCHR3eWwicHzTlYSqTVOh/sPkK9Uz
v4v6XDn0ppWPhlrP6o6+kRd6sHz3EdRcCnvlVc/kAJZwQM7btF0CTMgA39ggOF68
IxiiQbJA/AfU2a7H0rc5CTqvK8797j60hRA+3He3FrhPogZsjJjk5vsfHMSNr0tR
FjjkHJ1vqav6F4sVJ4E95UMI2edwc6sI8kT297Y/x1K3nkQuYkKILEdg7FDJkN1X
J35FL4LJzC1Plj5Btn2PVZOZ7NDuzjwSqQm5qXYFKK9R3q0AT5ZvZwusU5ibDn01
BY7EeZ3EyOpGqhEG2zSdgkQlKR56dKcig74c+oBD2efdrTVwuDyGC1rhNAibhnve
nAekjnyMCCBHIPMPaXB9Pxo75qpmtIObpxO6cFwIIdznU7f7OnEL+dDEsZieNK0N
YEeCWXU5E5+7d/sKkbI9nQOKsyhMc7oqOLCPbFHXAyyZMvhhbjmMZS+EIztfLN9Q
9lj1DNv8qaPS11l5ZUpqSnqwkQAaQ/hV7vQUZaF6RxvFiltO46w=
=bRQI
-----END PGP SIGNATURE-----
pgpUtJropq7HC.pgp
Description: PGP signature
--- End Message ---
