Bug 386716

Summary: akonadi apparmor error: denied access to /etc/mysql/mariadb.cnf
Product: [KDE Neon] neon Reporter: stefanprobst
Component: Packages User EditionAssignee: Neon Bugs <neon-bugs>
Status: CONFIRMED ---    
Severity: normal CC: andrew.crouthamel, jr, KDE, m4rkusxxl, neon-bugs, sitter
Priority: NOR Keywords: investigated, triaged
Version: unspecified   
Target Milestone: ---   
Platform: Neon   
OS: Linux   
Latest Commit: Version Fixed In:

Description stefanprobst 2017-11-10 14:56:29 UTC 
With akonadi-backend-mysql I get the following apparmor error:

audit: type=1400 audit(1510318372.064:33): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld-akonadi///usr/sbin/mysqld" name="/etc/mysql/mariadb.cnf" pid=1835 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0


See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869865
Comment 1 Andrew Crouthamel 2018-11-05 15:29:33 UTC 
I believe this has been fixed since this report. I am unable to reproduce it. Could you please re-test with the latest version?
Comment 2 Michal Kec (MiK) 2018-11-11 18:22:22 UTC 
I can confirm this behavior on recent KDE Neon (bionic) User Edition.
Since I had to switch from MySQL to MariaDB due to digiKam bug #379959, I am unable to run Kaddressbook.

Steps to reproduce:
1. Fresh installed KDE Neon with kaddressbook & kdepim-addons packages.
2. Start kaddressbook -> should work ok, you can see process mysqld invoked by Akonadi.
3. Replace mysql-core-server-5.7 by mariadb-server-10.1
4. Restart
5. Start kaddressbook -> Message "Akonadi not running" appears. Also no mysqld process invoked by Akonadi.
6. Error in syslog: audit: type=1400 audit(1541959236.039:31): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld-akonadi///usr/sbin/mysqld" name="/etc/mysql/mariadb.cnf" pid=8844 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I believe the usr.sbin.mysqld-akonadi profile of Apparmor needs to be updated in order to take MariaDB files into consideration.
Comment 3 Michal Kec (MiK) 2018-11-17 09:59:59 UTC 
There are two issues simultaneously.

1. Apparmor profile doesn't know MariaDB config files
Workaround: Open the file /etc/apparmor.d/usr.sbin.mysqld-akonadi and add following lines "somewhere in the middle":
    /etc/mysql/mariadb.conf.d/ r,
    /etc/mysql/mariadb.conf.d/* r,
    /etc/mysql/mariadb.cnf r,

2. MariaDB vs. MySQL binary files incompatibility. Since you already can have database files generated by MySQL, MariaDB can't deal with them and dies.
Workaround: Delete everything in ~/.local/share/akonadi/db_data and restart akonadi to let it create brand new database. It's just a metadata cache after all.


Akonadi maintainers should definitely take care of the first issue. I'm not sure how to fix the second one. The DB engine should detect the incompatibility and either delete broken database, or try to migrate. Further reading: https://mariadb.com/kb/en/library/mariadb-vs-mysql-compatibility/
Comment 4 Markus 2019-12-16 19:29:35 UTC 
Maybe also add:
/usr/share/mariadb/** r,

Because I see:
apparmor="DENIED" operation="open" profile="mysqld_akonadi" name="/usr/share/mariadb/english/errmsg.sys" pid=10950 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="DENIED" operation="open" profile="mysqld_akonadi" name="/usr/share/mariadb/errmsg.sys" pid=10950 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0