intrigeri <intrig...@debian.org> writes: > Hi, > > Kristian Nielsen wrote (21 Jan 2014 09:18:05 GMT) : >> In my experience, there are a lot of problems with installing an apparmor >> profile by default for the MySQL server. This is from 4 years of experience >> maintaining MariaDB .deb packages. > > Thank you for this very useful input. I want to contrast this with: > > * Ubuntu has been enabling the MySQL profile by default since 8.04 > LTS; perhaps we could ask them how much of a user support mess it > caused. > > * Debian does not enable AppArmor by default. So, only people who > explicitly, and manually, enabled it themselves may be affected by > any problems caused by the MySQL AppArmor profile. My assumption > here is that these people are more knowledgeable about AppArmor, > and its potential adverse effects, than the averable Ubuntu + > MySQL user. In particular, I hope they would be able to 1. > guess that a particular problem might be caused by AppArmor; 2. > look at the system log to find out what exact action is blocked; > and 3. add stuff to /etc/apparmor.d/local/. > > What do you think?
I think those are valid arguments. I think in the end, it comes down to whether one considers apparmor useful. I can see the use for apparmor for running eg. proprietary desktop binaries like adobe reader or something, to create a kind of sandbox. But for mysqld, I don't see much use, only annoyances. Others might have different opinions. One thing that would be nice is if we could fix the problem that mysql-test-run (the test suite) cannot be run when apparmor is enabled. Nor can /usr/sbin/mysqld be run as a separate instance by a non-privileged user in their own home directory (eg. for testing). I am not very familiar with how apparmor works, but one option would seem to be to introduce a wrapper /usr/sbin/mysqld_apparmor_wrapper that does nothing but call execve() of /usr/sbin/mysqld. Then /etc/init.d/mysql could start the wrapper, and the apparmor profile could be tied to the wrapper, and users would be free to use /usr/sbin/mysqld for other purposes. If supported by apparmor, another option might be to only have the restrictions active when /usr/sbin/mysqld is running as the `mysqld' user. Put another way, the problem is that the current apparmor profiles prevent a number of perfectly valid ways to run /usr/sbin/mysqld. If that problem could be solved, then maintaining apparmor profiles would become much more attractive. - Kristian. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org