dh_apparmor does not assist postinst scripts that need to run the constrained binary before the postinst completes

This affects mysql-5.6.

mysql-server-5.6.postinst needs to run /usr/sbin/mysqld for bootstrapping purposes before starting the daemon proper. It calls dh_apparmor from dh_override_install in debian/rules.

The profile for mysqld has changed between 5.5 and 5.6: it now permits read from /etc/mysql/**, since /etc/mysql/mysql.conf.d/ is now used in addition to the original /etc/mysql/my.cnf, along with some other files.

On upgrade from the previous 5.5 packaging, mysql-server-5.6.postinst attempts to run /usr/sbin/mysqld which then fails because the old profile is still active, since dh_apparmor has only added the snippet to the end of the postinst (after this point). It appears to include some logic about /etc/apparmor.d/local/ which I can't easily call from earlier in the postinst instead.

Workaround: I added an extra apparmor_parser call when I need it. But this fails if /etc/apparmor.d/local/usr.sbin.mysqld doesn't exist, which is the case on first install of the package. So I have to ignore errors. This isn't ideal though.

It would be better if we could somehow arrange dh_apparmor to ensure that the apparmor profile is active earlier, or at least define some way that the maintainer's postinst code can make it happen earlier - for example by wrapping the logic into something the maintainer can call. Or perhaps dh_apparmor should unload the profile in the prerm or something, so that the postinst always runs without the profile loaded (as already happens on first install).