[Bug 1421303] [NEW] mysql does not import apparmor profile correctly
Robie Basak
1421303 at bugs.launchpad.net
Thu Feb 12 16:33:59 UTC 2015
*** This bug is a security vulnerability ***
Public security bug reported:
See https://jenkins.qa.ubuntu.com/job/vivid-adt-
mysql-5.6/lastBuild/ARCH=amd64,label=adt/artifact/results/log
The dep8 failure here was due to the apparmor profile not being updated,
which I will fix. But I'm concerned that there is a separate issue here,
which is that now I understand the other bug, I expect mysqld to have
failed on the first invocation after package install, not the second
after the restart. This suggests to me that there's some ordering issue
or race that stops the profile from taking effect on the first run.
Complicating factors may be the ordering of dh_installinit and
dh_apparmor in debian/rules (I'll amend this to be more sensible, but it
should be checked), and systemd vs. upstart (the upstart pre-script does
load the apparmor profile in a pre-script, but we are switching to
systemd this cycle and the systemd unit does not mention apparmor; I
think it should).
So I'd like to leave this bug open so the issue doesn't get lost and
does get looked at. We need to make sure that the apparmor profile is
loaded correctly and is always active, including the first mysqld
invocation after package installation, in the version we release in
Vivid.
mysql-5.6 should enter main this cycle.
** Affects: mysql-5.6 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
See https://jenkins.qa.ubuntu.com/job/vivid-adt-
mysql-5.6/lastBuild/ARCH=amd64,label=adt/artifact/results/log
The dep8 failure here was due to the apparmor profile not being updated,
- which I will fix. But I've concerned that there is a separate issue
- here, which is that now I understand the other bug, I expect mysqld to
- have failed on the first invocation after package install, not the
- second after the restart. This suggests to me that there's some ordering
- issue or race that stops the profile from taking effect on the first
- run.
+ which I will fix. But I'm concerned that there is a separate issue here,
+ which is that now I understand the other bug, I expect mysqld to have
+ failed on the first invocation after package install, not the second
+ after the restart. This suggests to me that there's some ordering issue
+ or race that stops the profile from taking effect on the first run.
Complicating factors may be the ordering of dh_installinit and
dh_apparmor in debian/rules (I'll amend this to be more sensible, but it
should be checked), and systemd vs. upstart (the upstart pre-script does
load the apparmor profile in a pre-script, but we are switching to
systemd this cycle and the systemd unit does not mention apparmor; I
think it should).
So I'd like to leave this bug open so the issue doesn't get lost and
does get looked at. We need to make sure that the apparmor profile is
loaded correctly and is always active, including the first mysqld
invocation after package installation, in the version we release in
Vivid.
mysql-5.6 should enter main this cycle.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1421303
Title:
mysql does not import apparmor profile correctly
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1421303/+subscriptions
More information about the Ubuntu-server-bugs
mailing list