[apparmor] Fwd: MariaDB AppArmor

[Otto Kekäläinen]

Helllo!

2014-02-22 19:41 GMT+02:00 Felix Geyer <debfx at ubuntu.com>:
> -Slave_open_temp_tables 0
> +Slave_open_temp_tables 1
>
> mysqltest: Result content mismatch
>
> not ok

This is ok, this "error" is not marked as an actual error in the test
suite and it happens at least in all of the build environments I use.


> There are a few denied permissions:
>
> apparmor="DENIED" operation="mknod" parent=13650 profile="/usr/sbin/mysqld"
> name="/usr/share/mysql/mysql-test/<hostname>.lower-test" pid=13654 comm="mysqld"
> requested_mask="c" denied_mask="c" fsuid=0 ouid=0
> apparmor="DENIED" operation="open" parent=26824 profile="/usr/sbin/mysqld" name="/etc/" pid=26826
> comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="DENIED" operation="open" parent=26863 profile="/usr/sbin/mysqld" name="/etc/pam.d/other"
> pid=26895 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> apparmor="DENIED" operation="capable" parent=27197 profile="/usr/sbin/mysqld" pid=27231
> comm="mysqld" pid=27231 comm="mysqld" capability=36  capname="block_suspend"
>
> Just before the access to /etc/pam.d/other mariadb logs:
> mysqld: PAM pam_end: NULL pam handle passed
>
> The first one is obviously only requested by the test suite, not sure about the others.


I guess it is ok to add mysql-test paths to the profile, as an
attacker would not benefit of such access anyway.

Unlike MySQL, MariaDB has PAM authentication integration. So that
probably needs some extra AppArmor rules too?


Please send me a updated profile if you are handy at writing them :)

- Otto


--
Check out our blog at http://seravo.fi/blog
and follow @ottokekalainen