Upgrading from Jessie to Stretch with apparmor enabled seems to fail:

        Setting up mariadb-server-10.1 (10.1.26-0+deb9u1) ...
        Installing new version of config
        file /etc/apparmor.d/usr.sbin.mysqld ...
        Installing new version of config file /etc/init.d/mysql ...
        Installing new version of config
        file /etc/logrotate.d/mysql-server ...
        Installing new version of config
        file /etc/mysql/debian-start ...
        dpkg: error processing package mariadb-server-10.1
        (--configure):
         subprocess installed post-installation script returned error
        exit status 1
        dpkg: dependency problems prevent configuration of
        default-mysql-server:
         default-mysql-server depends on mariadb-server-10.1; however:
          Package mariadb-server-10.1 is not configured yet.
        
        dpkg: error processing package default-mysql-server
        (--configure):
         dependency problems - leaving unconfigured
        dpkg: dependency problems prevent configuration of mysql-server:
         mysql-server depends on default-mysql-server; however:
          Package default-mysql-server is not configured yet.
        
        dpkg: error processing package mysql-server (--configure):
         dependency problems - leaving unconfigured

It took me a while to notice from audit log that is is due to apparmor:

        type=AVC msg=audit(1509991806.111:85264): apparmor="DENIED"
        operation="open" profile="/usr/sbin/mysqld"
        name="/etc/mysql/mariadb.conf.d/" pid=6557 comm="mysqld"
        requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        type=SYSCALL msg=audit(1509991806.111:85264): arch=40000003
        syscall=5 success=no exit=-13 a0=bfd7f415 a1=98800 a2=bfd7fd71
        a3=bfd7fd55 items=0 ppid=6554 pid=6557 auid=1000 uid=0 gid=0
        euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=10453
        comm="mysqld" exe="/usr/sbin/mysqld" key=(null)

Trying to reload apparmor policies did not help, it appears that
apparmor_parser ignores policies that are empty?

Reply via email to