This bug was fixed in the package mysql-5.7 - 5.7.28-0ubuntu0.18.04.4
---
mysql-5.7 (5.7.28-0ubuntu0.18.04.4) bionic-security; urgency=medium
* SECURITY UPDATE: Update to 5.7.28 to fix security issues
- CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2922,
This bug was fixed in the package mysql-5.7 - 5.7.28-0ubuntu0.19.04.2
---
mysql-5.7 (5.7.28-0ubuntu0.19.04.2) disco-security; urgency=medium
* SECURITY UPDATE: Update to 5.7.28 to fix security issues
- CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2922,
This bug was fixed in the package mysql-5.7 - 5.7.28-0ubuntu0.16.04.2
---
mysql-5.7 (5.7.28-0ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: Update to 5.7.28 to fix security issues
- CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2922,
This bug was fixed in the package mysql-8.0 - 8.0.17-0ubuntu2
---
mysql-8.0 (8.0.17-0ubuntu2) eoan; urgency=medium
[ Robie Basak ]
* Ship missing files newly built since MySQL 8.0:
libmysqlrouter_http.so.1, various MySQL Router plugins,
mysqlrouter_passwd.
* Ship
I think I have most of these fixed now, but am a bit confused about the
org.freedesktop.systemd1 one, as it seems to come from usr/bin/dbus-
daemon and not usr/sbin/mysqld?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: mysql-8.0 (Ubuntu)
Assignee: (unassigned) => Robie Basak (racb)
** Changed in: mysql-5.7 (Ubuntu)
Assignee: (unassigned) => Christian Ehrhardt (paelzer)
** Changed in: mysql-5.7 (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => Robie Basak (racb)
** Tags
Tagging server-next mainly because of mysql-8, so we fix this finally,
and then SRUs can be considered.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to mysql-5.7 in Ubuntu.
Matching subscriptions: main
eoan will have mysql-8 soon, so I installed it from proposed to verify.
These are the DENIED messages I got right after installation:
[ 580.067210] audit: type=1400 audit(1566304971.013:90): apparmor="DENIED"
operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/"
pid=8427
Tagging server-next mainly because of mysql-8, so we fix this finally,
and then SRUs can be considered.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233
Title:
missing apparmor rules
To
eoan will have mysql-8 soon, so I installed it from proposed to verify.
These are the DENIED messages I got right after installation:
[ 580.067210] audit: type=1400 audit(1566304971.013:90): apparmor="DENIED"
operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/"
pid=8427
On eoan, we need to add even more lines (I prefer to use
/etc/apparmor.d/local/usr.sbin.mysqld):
dbus send
bus=system
path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=GetDynamicUsers
peer=(name=org.freedesktop.systemd1),
in my case, to have a clean MySQL start, had to do this:
sudo nano /etc/apparmor.d/usr.sbin.mysqld
# add
capability dac_read_search,
/sys/devices/system/node/ r,
/sys/devices/system/node/node*/meminfo r,
/sys/devices/system/node/*/* r,
/sys/devices/system/node/* r,
sudo
also confirming on:
Kernel: 4.15.0-46-generic x86_64 bits: 64 Desktop: Xfce 4.12.3 Distro: Ubuntu
18.04.2 LTS
-- Unit mysql.service has begun starting up.
mar 15 23:48:50 Work audit[25035]: AVC apparmor="DENIED" operation="open"
profile="/usr/sbin/mysqld" name="/sys/devices/system/node/"
And also still present in disco:
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.527:358):
apparmor="DENIED" operation="open"
namespace="root//lxd-disco-mysql_" profile="/usr/sbin/mysqld"
name="/sys/devices/system/node/" pid=2842 comm="mysqld" requested_mask="r"
denied_mask="r"
And also still present in disco:
[ter nov 20 15:38:42 2018] audit: type=1400 audit(1542741624.527:358):
apparmor="DENIED" operation="open"
namespace="root//lxd-disco-mysql_" profile="/usr/sbin/mysqld"
name="/sys/devices/system/node/" pid=2842 comm="mysqld" requested_mask="r"
denied_mask="r"
Confirmed I also see this on bionic.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to mysql-5.7 in Ubuntu.
Matching subscriptions: main
https://bugs.launchpad.net/bugs/1658233
Title:
missing apparmor rules
To manage notifications about
Confirmed I also see this on bionic.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233
Title:
missing apparmor rules
To manage notifications about this bug go to:
@afunix, was this a fresh xenial 16.04.5 install, or an upgrade from a
previous release?
Can you list the mysql and apparmor packages you have installed?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@afunix, was this a fresh xenial 16.04.5 install, or an upgrade from a
previous release?
Can you list the mysql and apparmor packages you have installed?
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to mysql-5.7 in Ubuntu.
Matching
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 16.04.5 LTS
Release:16.04
Codename: xenial
# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1532696557.378:89): apparmor="DENIED" operation="open"
profile="/usr/sbin/mysqld"
Seeing these log entries in Bionic:
audit: type=1400 audit(1525128782.144:24): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="/usr/sbin/mysqld" pid=24878 comm="apparmor_parser"
audit: type=1400 audit(1525128782.420:25):
** Tags added: bionic xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233
Title:
missing apparmor rules
To manage notifications about this bug go to:
The addition of "@{PROC}/@{pid}/status r," is tracked in LP: #1658239.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233
Title:
missing apparmor rules
To manage notifications about this bug go
Thank you Simon and Kees,
I personally would not want it allowed in my base profile - but I'll leave that
for the other bug to decide.
We certainly can consider adding it to mysql together with the others.
I feel relieved that the impact seems low, but OTOH that means it likely boils
down to a
I added this to the base profile, since other processes tripped over
that one. (It's in a separate bug report)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658233
Title:
missing apparmor rules
I'm also noticing those on Xenial systems:
audit: type=1400 audit(1485382778.520:28): apparmor="DENIED" operation="open"
profile="/usr/sbin/mysqld" name="/proc/752/status" pid=752 comm="mysqld"
requested_mask="r" denied_mask="r" fsuid=110 ouid=110
audit: type=1400 audit(1485382778.520:29):
Hi,
thank you for your report and your help to make Ubuntu better!
We build with libnuma-dev which should auto-enable
https://bugs.mysql.com/bug.php?id=72811.
Might I ask you to describe what effect you see by this missing (other
than the Denie in the log) - just to help rating the importance
27 matches
Mail list logo
