dh_apparmor does not assist postinst scripts that need to run the constrained binary before the postinst completes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
This affects mysql-5.6.
mysql-server-
The profile for mysqld has changed between 5.5 and 5.6: it now permits read from /etc/mysql/**, since /etc/mysql/
On upgrade from the previous 5.5 packaging, mysql-server-
Workaround: I added an extra apparmor_parser call when I need it. But this fails if /etc/apparmor.
It would be better if we could somehow arrange dh_apparmor to ensure that the apparmor profile is active earlier, or at least define some way that the maintainer's postinst code can make it happen earlier - for example by wrapping the logic into something the maintainer can call. Or perhaps dh_apparmor should unload the profile in the prerm or something, so that the postinst always runs without the profile loaded (as already happens on first install).
Changed in apparmor (Ubuntu): | |
importance: | Undecided → Low |
Another workaround would be to run mysqld unconfined (e.g. with aa-unconfined, or by copying/hardlinking the binary to a different file and running that one) for whatever operations the postinst has to do. I won't pretend it's nicer than what you've done already, but that's another option on the table.