386716 – akonadi apparmor error: denied access to /etc/mysql/mariadb.cnf

Bug 386716 - akonadi apparmor error: denied access to /etc/mysql/mariadb.cnf

Summary: akonadi apparmor error: denied access to /etc/mysql/mariadb.cnf

Status:	CONFIRMED

Alias:	None

Product:	neon
Classification:	KDE Neon
Component:	Packages User Edition (show other bugs)
Version:	unspecified
Platform:	Neon Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Neon Bugs

URL:
Keywords:	investigated, triaged

Depends on:
Blocks:

Reported:	2017-11-10 14:56 UTC by stefanprobst
Modified:	2019-12-16 19:29 UTC (History)
CC List:	6 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description stefanprobst 2017-11-10 14:56:29 UTC

With akonadi-backend-mysql I get the following apparmor error:

audit: type=1400 audit(1510318372.064:33): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld-akonadi///usr/sbin/mysqld" name="/etc/mysql/mariadb.cnf" pid=1835 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0


See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869865

Comment 1 Andrew Crouthamel 2018-11-05 15:29:33 UTC

I believe this has been fixed since this report. I am unable to reproduce it. Could you please re-test with the latest version?

Comment 2 Michal Kec (MiK) 2018-11-11 18:22:22 UTC

I can confirm this behavior on recent KDE Neon (bionic) User Edition.
Since I had to switch from MySQL to MariaDB due to digiKam bug #379959, I am unable to run Kaddressbook.

Steps to reproduce:
1. Fresh installed KDE Neon with kaddressbook & kdepim-addons packages.
2. Start kaddressbook -> should work ok, you can see process mysqld invoked by Akonadi.
3. Replace mysql-core-server-5.7 by mariadb-server-10.1
4. Restart
5. Start kaddressbook -> Message "Akonadi not running" appears. Also no mysqld process invoked by Akonadi.
6. Error in syslog: audit: type=1400 audit(1541959236.039:31): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld-akonadi///usr/sbin/mysqld" name="/etc/mysql/mariadb.cnf" pid=8844 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I believe the usr.sbin.mysqld-akonadi profile of Apparmor needs to be updated in order to take MariaDB files into consideration.

Comment 3 Michal Kec (MiK) 2018-11-17 09:59:59 UTC

There are two issues simultaneously.

1. Apparmor profile doesn't know MariaDB config files
Workaround: Open the file /etc/apparmor.d/usr.sbin.mysqld-akonadi and add following lines "somewhere in the middle":
    /etc/mysql/mariadb.conf.d/ r,
    /etc/mysql/mariadb.conf.d/* r,
    /etc/mysql/mariadb.cnf r,

2. MariaDB vs. MySQL binary files incompatibility. Since you already can have database files generated by MySQL, MariaDB can't deal with them and dies.
Workaround: Delete everything in ~/.local/share/akonadi/db_data and restart akonadi to let it create brand new database. It's just a metadata cache after all.


Akonadi maintainers should definitely take care of the first issue. I'm not sure how to fix the second one. The DB engine should detect the incompatibility and either delete broken database, or try to migrate. Further reading: https://mariadb.com/kb/en/library/mariadb-vs-mysql-compatibility/

Comment 4 Markus 2019-12-16 19:29:35 UTC

Maybe also add:
/usr/share/mariadb/** r,

Because I see:
apparmor="DENIED" operation="open" profile="mysqld_akonadi" name="/usr/share/mariadb/english/errmsg.sys" pid=10950 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="DENIED" operation="open" profile="mysqld_akonadi" name="/usr/share/mariadb/errmsg.sys" pid=10950 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0