Mysql on Ubuntu 14.04 problem with AppArmor permissions for data directory

permissions mysql 14.04 apparmor
10,119

This is a permissions problem and not an Apparmor problem.

Apparmor works in conjunction with DAC permissions.

AppArmor provides an additional permission check to DAC. DAC is always checked in addition to the AppArmor permission checks. As such, AppArmor cannot override DAC to provide more access than what would be normally allowed.

See http://wiki.apparmor.net/index.php/QuickProfileLanguage#How_AppArmor_file_permissions_differ_from_DAC

Share:
10,119

Related videos on Youtube

谈 超
Author by

谈 超

Updated on September 18, 2022

Comments

  • 谈 超
    谈 超 over 1 year

    I've been using MySQL with a different location for the database date since Ubuntu 12.04 and had no problems. My configuration was like this:

    • Data in /home/db/mysql
    • Link in the default location sudo ln -s /home/db/mysql /var/lib/mysql
    • Added /home/db/** rwk, to /etc/apparmor.d/usr.sbin.mysqld

    It worked great until Ubuntu 14.04. I've been struggling all day but can't seem to get it to work.

    It seems like AppArmor is not giving requested permissions to MySQL on /home/db folder, since if I do chmod 777 -R /home/db it works.

    Otherwise, I get this:

    $ sudo service mysql start
start: Job failed to start

    And the log:

    140420 22:42:56 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
140420 22:42:56 [Note] Plugin 'FEDERATED' is disabled.
/usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13)
140420 22:42:56 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
140420 22:42:56 InnoDB: The InnoDB memory heap is disabled
140420 22:42:56 InnoDB: Mutexes and rw_locks use GCC atomic builtins
140420 22:42:56 InnoDB: Compressed tables use zlib 1.2.8
140420 22:42:56 InnoDB: Using Linux native AIO
140420 22:42:56 InnoDB: Initializing buffer pool, size = 128.0M
140420 22:42:56 InnoDB: Completed initialization of buffer pool
140420 22:42:56 InnoDB: highest supported file format is Barracuda.
140420 22:42:57  InnoDB: Waiting for the background threads to start
140420 22:42:58 InnoDB: 5.5.35 started; log sequence number 242217316
140420 22:42:58 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306
140420 22:42:58 [Note]   - '127.0.0.1' resolves to '127.0.0.1';
140420 22:42:58 [Note] Server socket created on IP: '127.0.0.1'.
140420 22:42:58 [ERROR] /usr/sbin/mysqld: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:42:58 [ERROR] Fatal error: Can't open and lock privilege tables: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:42:58 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
140420 22:42:58 [Note] Plugin 'FEDERATED' is disabled.
/usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13)
140420 22:42:58 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
140420 22:42:58 InnoDB: The InnoDB memory heap is disabled
140420 22:42:58 InnoDB: Mutexes and rw_locks use GCC atomic builtins
140420 22:42:58 InnoDB: Compressed tables use zlib 1.2.8
140420 22:42:58 InnoDB: Using Linux native AIO
140420 22:42:58 InnoDB: Initializing buffer pool, size = 128.0M
140420 22:42:58 InnoDB: Completed initialization of buffer pool
140420 22:42:59 InnoDB: highest supported file format is Barracuda.
140420 22:42:59  InnoDB: Waiting for the background threads to start
140420 22:43:00 InnoDB: 5.5.35 started; log sequence number 242217316
140420 22:43:00 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306
140420 22:43:00 [Note]   - '127.0.0.1' resolves to '127.0.0.1';
140420 22:43:00 [Note] Server socket created on IP: '127.0.0.1'.
140420 22:43:00 [ERROR] /usr/sbin/mysqld: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:43:00 [ERROR] Fatal error: Can't open and lock privilege tables: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:43:01 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
140420 22:43:01 [Note] Plugin 'FEDERATED' is disabled.
/usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13)
140420 22:43:01 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
140420 22:43:01 InnoDB: The InnoDB memory heap is disabled
140420 22:43:01 InnoDB: Mutexes and rw_locks use GCC atomic builtins
140420 22:43:01 InnoDB: Compressed tables use zlib 1.2.8
140420 22:43:01 InnoDB: Using Linux native AIO
140420 22:43:01 InnoDB: Initializing buffer pool, size = 128.0M
140420 22:43:01 InnoDB: Completed initialization of buffer pool
140420 22:43:01 InnoDB: highest supported file format is Barracuda.
140420 22:43:01  InnoDB: Waiting for the background threads to start
140420 22:43:02 InnoDB: 5.5.35 started; log sequence number 242217316
140420 22:43:02 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306
140420 22:43:02 [Note]   - '127.0.0.1' resolves to '127.0.0.1';
140420 22:43:02 [Note] Server socket created on IP: '127.0.0.1'.
140420 22:43:02 [ERROR] /usr/sbin/mysqld: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:43:02 [ERROR] Fatal error: Can't open and lock privilege tables: Can't find file: './mysql/host.frm' (errno: 13)
    • Panther
      Panther about 10 years
      If chmod works I presume it is a permissions problem and not an apparmor problem. If you still feel it is an apparmor problem, post the apparmor measages from the logs.
    • 谈 超
      谈 超 about 10 years
      It is a permission problem, but shouldn't apparmor take care of this? The folder is owned by mysql user and group. I am referring to /home/db.
    • Panther
      Panther about 10 years
      Assuming /home/db is owned by mysql, directories should work with permissions of 700 and files with 600 . Apparmor does NOT over ride standard permissions - "AppArmor provides an additional permission check to DAC. DAC is always checked in addition to the AppArmor permission checks. As such, AppArmor cannot override DAC to provide more access than what would be normally allowed. "
    • 谈 超
      谈 超 about 10 years
      you are correct. I was just testing this before reading your reply. sudo chmod 700 -R /home/db also seems to fix this. Thanks.
  • 谈 超
    谈 超 about 10 years
    the solution is: sudo chmod -R 600 /home/db; sudo chmod 700 /home/db; sudo find /home/db -type d -exec chmod 700 {} \;
  • Panther
    Panther about 10 years
    Glad you got it sorted out and I hope you learned a little something along the way ;)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Ubuntu 20.04 MySQL Datadir Permissions (Errno 13)
Permission denied writing to mysql log
Unable to Login as root after mysql service restart
Mysql Datadir on different hard drive
"Sorry, user user1 is not allowed to execute '/bin/ls' as root on hostname"
What version of "mysql-connector-java" to include in pom.xml for ubuntu 14.04
MariaDB won't start after upgrade to Ubuntu 16.04
MySQL - access denied for user root@localhost
Can't start MongoDB, mongod is always stop/waiting
bind fatal error cant open custom log