← Back to team overview

touch-packages team mailing list archive

[Bug 1435368] [NEW] dh_apparmor does not assist postinst scripts that need to run the constrained binary before the postinst completes

 

Public bug reported:

This affects mysql-5.6.

mysql-server-5.6.postinst needs to run /usr/sbin/mysqld for
bootstrapping purposes before starting the daemon proper. It calls
dh_apparmor from dh_override_install in debian/rules.

The profile for mysqld has changed between 5.5 and 5.6: it now permits
read from /etc/mysql/**, since /etc/mysql/mysql.conf.d/ is now used in
addition to the original /etc/mysql/my.cnf, along with some other files.

On upgrade from the previous 5.5 packaging, mysql-server-5.6.postinst
attempts to run /usr/sbin/mysqld which then fails because the old
profile is still active, since dh_apparmor has only added the snippet to
the end of the postinst (after this point). It appears to include some
logic about /etc/apparmor.d/local/ which I can't easily call from
earlier in the postinst instead.

Workaround: I added an extra apparmor_parser call when I need it. But
this fails if /etc/apparmor.d/local/usr.sbin.mysqld doesn't exist, which
is the case on first install of the package. So I have to ignore errors.
This isn't ideal though.

It would be better if we could somehow arrange dh_apparmor to ensure
that the apparmor profile is active earlier, or at least define some way
that the maintainer's postinst code can make it happen earlier - for
example by wrapping the logic into something the maintainer can call. Or
perhaps dh_apparmor should unload the profile in the prerm or something,
so that the postinst always runs without the profile loaded (as already
happens on first install).

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1435368

Title:
  dh_apparmor does not assist postinst scripts that need to run the
  constrained binary before the postinst completes

Status in apparmor package in Ubuntu:
  New

Bug description:
  This affects mysql-5.6.

  mysql-server-5.6.postinst needs to run /usr/sbin/mysqld for
  bootstrapping purposes before starting the daemon proper. It calls
  dh_apparmor from dh_override_install in debian/rules.

  The profile for mysqld has changed between 5.5 and 5.6: it now permits
  read from /etc/mysql/**, since /etc/mysql/mysql.conf.d/ is now used in
  addition to the original /etc/mysql/my.cnf, along with some other
  files.

  On upgrade from the previous 5.5 packaging, mysql-server-5.6.postinst
  attempts to run /usr/sbin/mysqld which then fails because the old
  profile is still active, since dh_apparmor has only added the snippet
  to the end of the postinst (after this point). It appears to include
  some logic about /etc/apparmor.d/local/ which I can't easily call from
  earlier in the postinst instead.

  Workaround: I added an extra apparmor_parser call when I need it. But
  this fails if /etc/apparmor.d/local/usr.sbin.mysqld doesn't exist,
  which is the case on first install of the package. So I have to ignore
  errors. This isn't ideal though.

  It would be better if we could somehow arrange dh_apparmor to ensure
  that the apparmor profile is active earlier, or at least define some
  way that the maintainer's postinst code can make it happen earlier -
  for example by wrapping the logic into something the maintainer can
  call. Or perhaps dh_apparmor should unload the profile in the prerm or
  something, so that the postinst always runs without the profile loaded
  (as already happens on first install).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1435368/+subscriptions


Follow ups

References