Public bug reported:
Versions: Using mariadb-server package version: 1:11.8.6-5 on Ubuntu
26.04 LTS
Context: With a LVM volume mounted on /var/lib/mysql, with owner/group
mysql/mysql and mod 755, mariadb-server fails to initialize the database
on installation because it is blocked by apparmor.
journalctl provides these logs:
```logs
kernel: audit: type=1400 audit(1779296445.693:280): apparmor="DENIED"
operation="capable" class="cap" profile="mariadbd" pid=177245 comm="mariadbd"
capability=1 capname="dac_override"
kernel: audit: type=1400 audit(1779296445.693:281): apparmor="DENIED"
operation="capable" class="cap" profile="mariadbd" pid=177245 comm="mariadbd"
capability=6 capname="setgid"
kernel: audit: type=1400 audit(1779296445.743:282): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="mariadbd" pid=177251 comm="apparmor_parser"
kernel: audit: type=1400 audit(1779296445.793:283): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="mariadbd" pid=177257 comm="apparmor_parser"
kernel: audit: type=1400 audit(1779296446.505:284): apparmor="DENIED"
operation="open" class="file" profile="mariadbd" name="/var/log/mysql.err"
pid=177501 comm="mariadbd" requested_mask="ac" denied_mask="ac" fsuid=982
ouid=982
kernel: audit: type=1400 audit(1779296446.534:285): apparmor="DENIED"
operation="open" class="file" profile="mariadbd"
name="/sys/devices/pci0000:00/0000:00:01.1/ata2/host2/target2:0:0/2:0:0:0/block/sr0/dev"
pid=177501 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=982 ouid=0
kernel: audit: type=1400 audit(1779296474.464:288): apparmor="DENIED"
operation="open" class="file" profile="mariadbd" name="/var/log/mysql.err"
pid=190452 comm="mariadbd" requested_mask="ac" denied_mask="ac" fsuid=982
ouid=982
kernel: audit: type=1400 audit(1779296474.491:289): apparmor="DENIED"
operation="open" class="file" profile="mariadbd"
name="/sys/devices/pci0000:00/0000:00:01.1/ata2/host2/target2:0:0/2:0:0:0/block/sr0/dev"
pid=190452 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=982 ouid=0
kernel: audit: type=1400 audit(1779296494.099:290): apparmor="DENIED"
operation="capable" class="cap" profile="mariadbd" pid=190522 comm="mariadbd"
capability=1 capname="dac_override"
kernel: audit: type=1400 audit(1779296494.099:291): apparmor="DENIED"
operation="capable" class="cap" profile="mariadbd" pid=190522 comm="mariadbd"
capability=6 capname="setgid"
```
By doing this, I managed to get a working MariaDB installation:
```bash
cat > /etc/apparmor.d/local/mariadbd << 'EOF'
# Local overrides for mariadbd
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
/var/log/mysql.err rw,
/var/log/mysql/ rw,
/var/log/mysql/** rw,
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,
EOF
# Reload the profile
apparmor_parser -r /etc/apparmor.d/mariadbd
# Init database
mariadb-install-db --user=mysql --datadir=/var/lib/mysql
systemctl start mariadb
```
Note: this appears to be two separate omissions in the AppArmor profile
— missing capabilities needed for LVM-mounted datadirs, and a missing
write rule for /var/log/mysql.err which is the default log path
configured by the package itself.
Expected: Installation should manage to initialize the "mysql" database
without having to set an apparmor profile manually.
(I don't use this interface very often, let me know if I didn't include
the needed information)
** Affects: mariadb (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor lvm mariadb
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2153455
Title:
Apparmor blocks mariadb-server initialization when /var/lib/mysql is
mounted using an LVM volume
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2153455/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
