Bug#865534: [debian-mysql] Bug#865534: confirmed / steps / clarification

[Otto Kekäläinen]

This is due to the system having a previos AppArmor profile, that is
still enforced.

I don't know if it can be fixed. Maybe the preinstall script should
deactivate the profile?

AppArmor causes a lot of weird errors when it stops the mysqld from
working as expected, and the code inside mysqld does not know how to
fall back from a suddend denial of access. Therefore the profile we
ship has been empty for a few years already to make sure AppArmor
would not confine anything
(https://salsa.debian.org/mariadb-team/mariadb-10.1/blob/master/debian/apparmor-profile).

We need an AppArmor expert in the packaging team to write a good
profile and actively maintain it. Any attempt to do a 99% good profile
that fails 1% of the time would sum up to cause too much trouble.

Bug#865534: confirmed / steps / clarification

[Faustin Lammler]

I can confirm the problem and I am able to reproduce it.

Steps:
1/ on jessie, install mariadb-server and apparmor
2/ enable apparmor (on fresh jessie, it is not enabled by default for
mysqld):
https://wiki.debian.org/AppArmor/HowToUse?action=show&redirect=AppArmor%2FHowTo#Enable_AppArmor
3/ replace commented profile '/etc/apparmor.d/usr.sbin.mysqld' with
https://salsa.debian.org/mariadb-team/mariadb-10.1/blob/stretch/support-files/policy/apparmor/usr.sbin.mysqld
4/ create empty file '/etc/apparmor.d/local/usr.sbin.mysqld'
5/ activate profile:
$ sudo aa-enforce mysqld
Setting /usr/sbin/mysqld to enforce mode.
6/ upgrade to stretch

> So this needs to be fixed:
> 1) Make sure the old AppArmor profile isn't loaded anymore.
Disabling arbitrarily mysqld apparmor profile when it as been enabled
may be considered as a security issue and it is clearly a lack of
transparency to the user. So I think this is something that we can not
do automatically during postinstall.

> 3) Reload the AppArmor profile afterwards.
By default, apparmor is now disabled for newer version of MariaDB
(https://salsa.debian.org/mariadb-team/mariadb-10.1/blob/stretch/debian/apparmor-profile)
But again for old installation, this decision belongs to the user.

Regarding the workaround, I am not an apparmor expert but I think this
is a cleaner way:
$ sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld

Verify:
$ sudo aa-status

Finalize mariadb-server upgrade:
$ sudo dpkg --configure mariadb-server

For people who want to keep apparmor mysqld profile running, I would
suggest editing the local profile
'/etc/apparmor.d/local/usr.sbin.mysqld' to their needs:
- https://blogs.oracle.com/jsmyth/apparmor-and-mysql
- https://bugs.launchpad.net/ourdelta/+bug/491349

> 2) A message should be printed that this mighht take a while and to be
> patient.
This is a good suggestion and I will check if it is not already on our
todo list for the next release.

> I suspect this is AppArmor-related.  However, the resolution
> instructions are also wrong, referencing /usr/scripts/scripts.
Message resolution suggestion and detection is really not an easy thing,
and in that case, I see another problem, path is wrong. I have opened an
issue on our bug tracking system (https://jira.mariadb.org/browse/MDEV-16321).