[Bug 1658233] Re: missing apparmor rules

2019-11-18 Thread Launchpad Bug Tracker 
This bug was fixed in the package mysql-5.7 - 5.7.28-0ubuntu0.18.04.4

---
mysql-5.7 (5.7.28-0ubuntu0.18.04.4) bionic-security; urgency=medium

  * SECURITY UPDATE: Update to 5.7.28 to fix security issues
- CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2922,
  CVE-2019-2923, CVE-2019-2924, CVE-2019-2938, CVE-2019-2946,
  CVE-2019-2948, CVE-2019-2960, CVE-2019-2969, CVE-2019-2974,
  CVE-2019-2993
  * Removed patches no longer required:
- debian/patches/mips64el.patch
  * debian/rules: removed -DWITH_SSL=bundled, option no longer works.
  * debian/control: add libssl-dev to Build-Depends.
  * d/additions/apparmor-profile: add missing AppArmor rules
(LP: #1658233).

 -- Marc Deslauriers   Fri, 15 Nov 2019
08:23:09 -0500

** Changed in: mysql-5.7 (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-11-18 Thread Launchpad Bug Tracker 
This bug was fixed in the package mysql-5.7 - 5.7.28-0ubuntu0.19.04.2

---
mysql-5.7 (5.7.28-0ubuntu0.19.04.2) disco-security; urgency=medium

  * SECURITY UPDATE: Update to 5.7.28 to fix security issues
- CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2922,
  CVE-2019-2923, CVE-2019-2924, CVE-2019-2938, CVE-2019-2946,
  CVE-2019-2948, CVE-2019-2960, CVE-2019-2969, CVE-2019-2974,
  CVE-2019-2993
  * Removed patches no longer required:
- debian/patches/mips64el.patch
  * debian/rules: removed -DWITH_SSL=bundled, option no longer works.
  * debian/control: add libssl-dev to Build-Depends.
  * d/additions/apparmor-profile: add missing AppArmor rules
(LP: #1658233).

 -- Marc Deslauriers   Fri, 15 Nov 2019
08:23:09 -0500

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-11-18 Thread Launchpad Bug Tracker 
This bug was fixed in the package mysql-5.7 - 5.7.28-0ubuntu0.16.04.2

---
mysql-5.7 (5.7.28-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Update to 5.7.28 to fix security issues
- CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2922,
  CVE-2019-2923, CVE-2019-2924, CVE-2019-2938, CVE-2019-2946,
  CVE-2019-2948, CVE-2019-2960, CVE-2019-2969, CVE-2019-2974,
  CVE-2019-2993
  * Removed patches no longer required:
- debian/patches/mips64el.patch
  * debian/rules: removed -DWITH_SSL=bundled, option no longer works.
  * debian/control: add libssl-dev to Build-Depends.
  * d/additions/apparmor-profile: add missing AppArmor rules
(LP: #1658233).

 -- Marc Deslauriers   Fri, 15 Nov 2019
08:23:09 -0500

** Changed in: mysql-5.7 (Ubuntu)
   Status: Triaged => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2910

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2911

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2914

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2922

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2923

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2924

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2938

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2946

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2948

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2960

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2969

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2974

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-2993

** Changed in: mysql-5.7 (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-10-10 Thread Launchpad Bug Tracker 
This bug was fixed in the package mysql-8.0 - 8.0.17-0ubuntu2

---
mysql-8.0 (8.0.17-0ubuntu2) eoan; urgency=medium

  [ Robie Basak ]
  * Ship missing files newly built since MySQL 8.0:
libmysqlrouter_http.so.1, various MySQL Router plugins,
mysqlrouter_passwd.
  * Ship missing mysql_clone.so MySQL plugin, newly built since
8.0.17.
  * Protect against future new build files from being missed:
- Add debian/not-installed
- Switch from --list-missing to --fail-missing

  [ Lars Tangvald ]
  * Fix failing autopkgtest mysql_os_user.
  * d/mysql-server-8.0.postinst: switch from mysql_native_password to
the upstream recommended mechanism caching_sha2_password for the
default root user when a default root password is set via debconf
(this is not the default case).
  * d/mysql-server-8.0.postinst: drop mysql_upgrade since this is now
done automatically by the MySQL daemon on startup.
  * d/additions/apparmor-profile: add missing AppArmor rules
(LP: #1658233).
  * d/copyright: add missing entries for clone and ddl_rewriter plugins.

 -- Robie Basak   Wed, 09 Oct 2019 14:03:12
+0100

** Changed in: mysql-8.0 (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-10-03 Thread Lars Tangvald 
I think I have most of these fixed now, but am a bit confused about the
org.freedesktop.systemd1 one, as it seems to come from usr/bin/dbus-
daemon and not usr/sbin/mysqld?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-09-19 Thread Christian Ehrhardt  
** Changed in: mysql-8.0 (Ubuntu)
 Assignee: (unassigned) => Robie Basak (racb)

** Changed in: mysql-5.7 (Ubuntu)
 Assignee: (unassigned) => Christian Ehrhardt  (paelzer)

** Changed in: mysql-5.7 (Ubuntu)
 Assignee: Christian Ehrhardt  (paelzer) => Robie Basak (racb)

** Tags added: bitesize

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-08-20 Thread Andreas Hasenack 
Tagging server-next mainly because of mysql-8, so we fix this finally,
and then SRUs can be considered.

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to mysql-5.7 in Ubuntu.
Matching subscriptions: main
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1658233] Re: missing apparmor rules

2019-08-20 Thread Andreas Hasenack 
eoan will have mysql-8 soon, so I installed it from proposed to verify.
These are the DENIED messages I got right after installation:
[  580.067210] audit: type=1400 audit(1566304971.013:90): apparmor="DENIED" 
operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" 
pid=8427 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  580.068837] audit: type=1400 audit(1566304971.017:91): apparmor="DENIED" 
operation="capable" profile="/usr/sbin/mysqld" pid=8427 comm="mysqld" 
capability=2  capname="dac_read_search"
[  580.088987] audit: type=1107 audit(1566304971.037:92): pid=688 uid=103 
auid=4294967295 ses=4294967295 msg='apparmor="DENIED" 
operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" 
interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" 
mask="send" name="org.freedesktop.systemd1" pid=8427 label="/usr/sbin/mysqld" 
peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? 
terminal=?'
[  580.091224] audit: type=1400 audit(1566304971.037:93): apparmor="DENIED" 
operation="open" profile="/usr/sbin/mysqld" name="/etc/ssl/openssl.cnf" 
pid=8427 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
[  580.104218] audit: type=1400 audit(1566304971.053:94): apparmor="DENIED" 
operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" 
pid=8428 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
[  580.347414] audit: type=1400 audit(1566304971.293:95): apparmor="DENIED" 
operation="open" profile="/usr/sbin/mysqld" name="/etc/ssl/openssl.cnf" 
pid=8428 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
[  580.861280] audit: type=1400 audit(1566304971.809:96): apparmor="DENIED" 
operation="mknod" profile="/usr/sbin/mysqld" 
name="/run/mysqld/mysqlx.sock.lock" pid=8428 comm="mysqld" requested_mask="c" 
denied_mask="c" fsuid=110 ouid=110


** Also affects: mysql-8.0 (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: mysql-8.0 (Ubuntu)
   Status: New => Triaged

** Changed in: mysql-8.0 (Ubuntu)
   Importance: Undecided => Medium

** Tags added: server-next

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-08-20 Thread Andreas Hasenack 
Tagging server-next mainly because of mysql-8, so we fix this finally,
and then SRUs can be considered.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-08-20 Thread Andreas Hasenack 
eoan will have mysql-8 soon, so I installed it from proposed to verify.
These are the DENIED messages I got right after installation:
[  580.067210] audit: type=1400 audit(1566304971.013:90): apparmor="DENIED" 
operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" 
pid=8427 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  580.068837] audit: type=1400 audit(1566304971.017:91): apparmor="DENIED" 
operation="capable" profile="/usr/sbin/mysqld" pid=8427 comm="mysqld" 
capability=2  capname="dac_read_search"
[  580.088987] audit: type=1107 audit(1566304971.037:92): pid=688 uid=103 
auid=4294967295 ses=4294967295 msg='apparmor="DENIED" 
operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" 
interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" 
mask="send" name="org.freedesktop.systemd1" pid=8427 label="/usr/sbin/mysqld" 
peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? 
terminal=?'
[  580.091224] audit: type=1400 audit(1566304971.037:93): apparmor="DENIED" 
operation="open" profile="/usr/sbin/mysqld" name="/etc/ssl/openssl.cnf" 
pid=8427 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
[  580.104218] audit: type=1400 audit(1566304971.053:94): apparmor="DENIED" 
operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" 
pid=8428 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
[  580.347414] audit: type=1400 audit(1566304971.293:95): apparmor="DENIED" 
operation="open" profile="/usr/sbin/mysqld" name="/etc/ssl/openssl.cnf" 
pid=8428 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
[  580.861280] audit: type=1400 audit(1566304971.809:96): apparmor="DENIED" 
operation="mknod" profile="/usr/sbin/mysqld" 
name="/run/mysqld/mysqlx.sock.lock" pid=8428 comm="mysqld" requested_mask="c" 
denied_mask="c" fsuid=110 ouid=110


** Also affects: mysql-8.0 (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: mysql-8.0 (Ubuntu)
   Status: New => Triaged

** Changed in: mysql-8.0 (Ubuntu)
   Importance: Undecided => Medium

** Tags added: server-next

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to mysql-5.7 in Ubuntu.
Matching subscriptions: main
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1658233] Re: missing apparmor rules

2019-08-19 Thread jean-christophe manciot 
On eoan, we need to add even more lines (I prefer to use 
/etc/apparmor.d/local/usr.sbin.mysqld):
  dbus send
bus=system
path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=GetDynamicUsers
peer=(name=org.freedesktop.systemd1),
  capability dac_read_search,
  /proc/*/status r,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/** r,

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-03-15 Thread Antonio 
in my case, to have a clean MySQL start, had to do this:

sudo nano /etc/apparmor.d/usr.sbin.mysqld 
# add
  capability dac_read_search,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/node*/meminfo r,
  /sys/devices/system/node/*/* r,
  /sys/devices/system/node/* r,

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld
service mysql restart

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2019-03-15 Thread Antonio 
also confirming on:
Kernel: 4.15.0-46-generic x86_64 bits: 64 Desktop: Xfce 4.12.3 Distro: Ubuntu 
18.04.2 LTS

-- Unit mysql.service has begun starting up.
mar 15 23:48:50 Work audit[25035]: AVC apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25035 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
mar 15 23:48:50 Work kernel: audit: type=1400 audit(1552693730.709:94): 
apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" 
name="/sys/devices/system/node/" pid=25035 comm="mysqld" requested_mask="r"
mar 15 23:48:50 Work audit[25035]: AVC apparmor="DENIED" operation="capable" 
profile="/usr/sbin/mysqld" pid=25035 comm="mysqld" capability=2  
capname="dac_read_search"
mar 15 23:48:50 Work kernel: audit: type=1400 audit(1552693730.717:95): 
apparmor="DENIED" operation="capable" profile="/usr/sbin/mysqld" pid=25035 
comm="mysqld" capability=2  capname="dac_read_search"
mar 15 23:48:50 Work audit[25037]: AVC apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25037 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
mar 15 23:48:50 Work kernel: audit: type=1400 audit(1552693730.729:96): 
apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" 
name="/sys/devices/system/node/" pid=25037 comm="mysqld" requested_mask="r"
mar 15 23:48:50 Work systemd[1]: Started MySQL Community Server.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2018-11-20 Thread Andreas Hasenack 
And also still present in disco:
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.527:358): 
apparmor="DENIED" operation="open" 
namespace="root//lxd-disco-mysql_" profile="/usr/sbin/mysqld" 
name="/sys/devices/system/node/" pid=2842 comm="mysqld" requested_mask="r" 
denied_mask="r" fsuid=165536 ouid=0
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.535:359): 
apparmor="DENIED" operation="capable" 
namespace="root//lxd-disco-mysql_" profile="/usr/sbin/mysqld" 
pid=2842 comm="mysqld" capability=2  capname="dac_read_search"
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.547:360): 
apparmor="DENIED" operation="open" 
namespace="root//lxd-disco-mysql_" profile="/usr/sbin/mysqld" 
name="/sys/devices/system/node/" pid=2846 comm="mysqld" requested_mask="r" 
denied_mask="r" fsuid=165646 ouid=0

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2018-11-20 Thread Andreas Hasenack 
And also still present in disco:
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.527:358): 
apparmor="DENIED" operation="open" 
namespace="root//lxd-disco-mysql_" profile="/usr/sbin/mysqld" 
name="/sys/devices/system/node/" pid=2842 comm="mysqld" requested_mask="r" 
denied_mask="r" fsuid=165536 ouid=0
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.535:359): 
apparmor="DENIED" operation="capable" 
namespace="root//lxd-disco-mysql_" profile="/usr/sbin/mysqld" 
pid=2842 comm="mysqld" capability=2  capname="dac_read_search"
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.547:360): 
apparmor="DENIED" operation="open" 
namespace="root//lxd-disco-mysql_" profile="/usr/sbin/mysqld" 
name="/sys/devices/system/node/" pid=2846 comm="mysqld" requested_mask="r" 
denied_mask="r" fsuid=165646 ouid=0

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to mysql-5.7 in Ubuntu.
Matching subscriptions: main
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1658233] Re: missing apparmor rules

2018-11-20 Thread Andreas Hasenack 
Confirmed I also see this on bionic.

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to mysql-5.7 in Ubuntu.
Matching subscriptions: main
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1658233] Re: missing apparmor rules

2018-11-20 Thread Andreas Hasenack 
Confirmed I also see this on bionic.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2018-08-01 Thread Andreas Hasenack 
@afunix, was this a fresh xenial 16.04.5 install, or an upgrade from a
previous release?

Can you list the mysql and apparmor packages you have installed?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2018-08-01 Thread Andreas Hasenack 
@afunix, was this a fresh xenial 16.04.5 install, or an upgrade from a
previous release?

Can you list the mysql and apparmor packages you have installed?

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to mysql-5.7 in Ubuntu.
Matching subscriptions: main
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1658233] Re: missing apparmor rules

2018-07-30 Thread Pavel Malyshev 
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 16.04.5 LTS
Release:16.04
Codename:   xenial

# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1532696557.378:89): apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/proc/2192/status" pid=2192 comm="mysqld" 
requested_mask="r" denied_mask="r" fsuid=112 ouid=112
type=AVC msg=audit(1532696557.378:90): apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/proc/2192/status" pid=2192 comm="mysqld" 
requested_mask="r" denied_mask="r" fsuid=112 ouid=112

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2018-05-01 Thread Jared Fernandez 
Seeing these log entries in Bionic:

audit: type=1400 audit(1525128782.144:24): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
profile="unconfined" name="/usr/sbin/mysqld" pid=24878 comm="apparmor_parser" 
audit: type=1400 audit(1525128782.420:25): apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=24896 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
audit: type=1400 audit(1525128782.428:26): apparmor="DENIED" 
operation="capable" profile="/usr/sbin/mysqld" pid=24896 comm="mysqld" 
capability=2  capname="dac_read_search" 
audit: type=1400 audit(1525128782.448:27): apparmor="DENIED" 
operation="capable" profile="/usr/sbin/mysqld" pid=24896 comm="mysqld" 
capability=2  capname="dac_read_search" 
audit: type=1400 audit(1525128783.004:28): apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=24930 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
audit: type=1400 audit(1525128787.392:29): apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25112 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
audit: type=1400 audit(1525128792.144:30): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
profile="unconfined" name="/usr/sbin/mysqld" pid=25238 comm="apparmor_parser" 
audit: type=1400 audit(1525128797.052:31): apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25462 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 
audit: type=1400 audit(1525128797.272:32): apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=25475 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=106 ouid=0

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2018-05-01 Thread Jared Fernandez 
** Tags added: bionic xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2017-02-28 Thread Simon Déziel 
The addition of "@{PROC}/@{pid}/status r," is tracked in LP: #1658239.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2017-01-27 Thread ChristianEhrhardt 
Thank you Simon and Kees,
I personally would not want it allowed in my base profile - but I'll leave that 
for the other bug to decide.
We certainly can consider adding it to mysql together with the others.

I feel relieved that the impact seems low, but OTOH that means it likely boils 
down to a community effort.
So if one wants to provide a debdiff to be reviewed and integrated, please go 
for it.

** Changed in: mysql-5.7 (Ubuntu)
   Status: Incomplete => Confirmed

** Changed in: mysql-5.7 (Ubuntu)
   Importance: Undecided => Low

** Changed in: mysql-5.7 (Ubuntu)
   Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2017-01-26 Thread Kees Cook 
I added this to the base profile, since other processes tripped over
that one. (It's in a separate bug report)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2017-01-26 Thread Simon Déziel 
I'm also noticing those on Xenial systems:

audit: type=1400 audit(1485382778.520:28): apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/proc/752/status" pid=752 comm="mysqld" 
requested_mask="r" denied_mask="r" fsuid=110 ouid=110
audit: type=1400 audit(1485382778.520:29): apparmor="DENIED" operation="open" 
profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=752 
comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0

On the affected system, there was no noticeable impact (yet?) other than
the denials, so I'd say it's low impact.

On top of the rules mentioned by Kees, adding this one would silence the
other denial:

  owner @{PROC}/@{pid}/status r,

Once all 3 rules were added to a test system, no more denials were
logged.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658233] Re: missing apparmor rules

2017-01-23 Thread ChristianEhrhardt 
Hi,
thank you for your report and your help to make Ubuntu better!

We build with libnuma-dev which should auto-enable
https://bugs.mysql.com/bug.php?id=72811.

Might I ask you to describe what effect you see by this missing (other
than the Denie in the log) - just to help rating the importance and
urgency.

If you happen to brute force it disabled (not recommended in the long run) via
ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
Does it give you any extra capability/feature that was missing before?

The reason I ask is that there are quite often non-fatal denies like
that which e.g. do not need an SRU. While at other times they almost
disables a feature like it could do to numa in this case.


** Bug watch added: MySQL Bug System #72811
   http://bugs.mysql.com/bug.php?id=72811

** Changed in: mysql-5.7 (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233

Title:
  missing apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs