Ubuntu
mysql-5.1 package

Apparmor profile prevents read/write from /tmp

Bug #742501 reported by Necrolyte2
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-5.1 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Need to add
/home/tmp/*.MY* rw,

to the usr.sbin.mysqld apparmor profile

Affected package: mysql-5.1

Kern.log entries of interest
[17480.475541] type=1400 audit(1301059398.713:35): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/home/tmp/#sql_f07_0.MYI" pid=4538 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=115 ouid=115
[19694.473134] type=1400 audit(1301061612.712:369): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/home/tmp/#sql_1772_0.MYD" pid=6010 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=115 ouid=115
[19598.298780] type=1400 audit(1301061516.536:336): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/home/tmp/ibm6SIim" pid=6002 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=115 ouid=115

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: mysql-server-5.1 5.1.49-1ubuntu8.1
ProcVersionSignature: Ubuntu 2.6.35-27.48-generic 2.6.35.11
Uname: Linux 2.6.35-27-generic i686
Architecture: i386
Date: Fri Mar 25 21:15:46 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: mysql-5.1

Revision history for this message
Necrolyte2 (vallardt) wrote :
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Necrolyte, thanks for taking the time to file this bug report and help us make Ubuntu better.

I'm not sure why we would add /home/tmp to the default apparmor profile for mysqld, when it is not the default tmpdir for the package. Can you explain your reasoning for that?

If you want to put tmp on /home/tmp, you most certainly can, but you will need to also modify the apparmor profile (which will subsequently be re-loaded when mysql is stopped and started again.)

Closing as Invalid. If I have misunderstood the issue, please feel free to change the status back to New, or file a new report.

Changed in mysql-5.1 (Ubuntu):
status: New → Invalid
Revision history for this message
Necrolyte2 (vallardt) wrote :

/tmp is a symbolic link to /home/tmp

I didn't do it so I'm assuming it was done during the install

Revision history for this message
Necrolyte2 (vallardt) wrote :

Regardless the apparmor profile for this package should include /tmp right?

Changed in mysql-5.1 (Ubuntu):
status: Invalid → New
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Hi there,

Thank you for reopening the bug.

The MySQL apparmor profile already includes the /tmp in the profile, however as abstractions:

 #include <abstractions/user-tmp>

Which are used for various profiles. This file is found at:

/etc/apparmor.d/abstractions/user-tmp

I hope this helps.

I'm Marking this bug as Invalid again.

Thank you again

Changed in mysql-5.1 (Ubuntu):
status: New → Invalid
Revision history for this message
Andres Rodriguez (andreserl) wrote :

If you continue to have further issues with the appamor profile, please file a bug report against the *apparmor* package, as the profile is not shipped by mysql.

Thank you!

Revision history for this message
Clint Byrum (clint-fewbar) wrote : Re: [Bug 742501] Re: Apparmor profile prevents read/write from /tmp

Excerpts from Necrolyte2's message of Sat Mar 26 00:38:50 UTC 2011:
> /tmp is a symbolic link to /home/tmp
>
> I didn't do it so I'm assuming it was done during the install
>

Definitely not. By default /tmp is its own directory off /

> --
> You received this bug notification because you are a direct subscriber
> of the bug.
> https://bugs.launchpad.net/bugs/742501
>
> Title:
> Apparmor profile prevents read/write from /tmp
>
> Status in “mysql-5.1” package in Ubuntu:
> Invalid
>
> Bug description:
> Need to add
> /home/tmp/*.MY* rw,
>
> to the usr.sbin.mysqld apparmor profile
>
> Affected package: mysql-5.1
>
> Kern.log entries of interest
> [17480.475541] type=1400 audit(1301059398.713:35): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/home/tmp/#sql_f07_0.MYI" pid=4538 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=115 ouid=115
> [19694.473134] type=1400 audit(1301061612.712:369): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/home/tmp/#sql_1772_0.MYD" pid=6010 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=115 ouid=115
> [19598.298780] type=1400 audit(1301061516.536:336): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/home/tmp/ibm6SIim" pid=6002 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=115 ouid=115
>
> ProblemType: Bug
> DistroRelease: Ubuntu 10.10
> Package: mysql-server-5.1 5.1.49-1ubuntu8.1
> ProcVersionSignature: Ubuntu 2.6.35-27.48-generic 2.6.35.11
> Uname: Linux 2.6.35-27-generic i686
> Architecture: i386
> Date: Fri Mar 25 21:15:46 2011
> InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
> ProcEnviron:
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: mysql-5.1
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/742501/+subscribe

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.