← Back to team overview

touch-packages team mailing list archive

[Bug 1435368] Re: dh_apparmor does not assist postinst scripts that need to run the constrained binary before the postinst completes

 

Another workaround would be to run mysqld unconfined (e.g. with aa-
unconfined, or by copying/hardlinking the binary to a different file and
running that one) for whatever operations the postinst has to do. I
won't pretend it's nicer than what you've done already, but that's
another option on the table.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1435368

Title:
  dh_apparmor does not assist postinst scripts that need to run the
  constrained binary before the postinst completes

Status in apparmor package in Ubuntu:
  New

Bug description:
  This affects mysql-5.6.

  mysql-server-5.6.postinst needs to run /usr/sbin/mysqld for
  bootstrapping purposes before starting the daemon proper. It calls
  dh_apparmor from dh_override_install in debian/rules.

  The profile for mysqld has changed between 5.5 and 5.6: it now permits
  read from /etc/mysql/**, since /etc/mysql/mysql.conf.d/ is now used in
  addition to the original /etc/mysql/my.cnf, along with some other
  files.

  On upgrade from the previous 5.5 packaging, mysql-server-5.6.postinst
  attempts to run /usr/sbin/mysqld which then fails because the old
  profile is still active, since dh_apparmor has only added the snippet
  to the end of the postinst (after this point). It appears to include
  some logic about /etc/apparmor.d/local/ which I can't easily call from
  earlier in the postinst instead.

  Workaround: I added an extra apparmor_parser call when I need it. But
  this fails if /etc/apparmor.d/local/usr.sbin.mysqld doesn't exist,
  which is the case on first install of the package. So I have to ignore
  errors. This isn't ideal though.

  It would be better if we could somehow arrange dh_apparmor to ensure
  that the apparmor profile is active earlier, or at least define some
  way that the maintainer's postinst code can make it happen earlier -
  for example by wrapping the logic into something the maintainer can
  call. Or perhaps dh_apparmor should unload the profile in the prerm or
  something, so that the postinst always runs without the profile loaded
  (as already happens on first install).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1435368/+subscriptions


References