Mysql on Ubuntu 14.04 problem with AppArmor permissions for data directory
10,119
This is a permissions problem and not an Apparmor problem.
Apparmor works in conjunction with DAC permissions.
AppArmor provides an additional permission check to DAC. DAC is always checked in addition to the AppArmor permission checks. As such, AppArmor cannot override DAC to provide more access than what would be normally allowed.
Related videos on Youtube
Author by
谈 超
Updated on September 18, 2022Comments
-
谈 超 over 1 year
I've been using MySQL with a different location for the database date since Ubuntu 12.04 and had no problems. My configuration was like this:
- Data in /home/db/mysql
- Link in the default location
sudo ln -s /home/db/mysql /var/lib/mysql
- Added
/home/db/** rwk,
to/etc/apparmor.d/usr.sbin.mysqld
It worked great until Ubuntu 14.04. I've been struggling all day but can't seem to get it to work.
It seems like AppArmor is not giving requested permissions to MySQL on /home/db folder, since if I do
chmod 777 -R /home/db
it works.Otherwise, I get this:
$ sudo service mysql start start: Job failed to start
And the log:
140420 22:42:56 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead. 140420 22:42:56 [Note] Plugin 'FEDERATED' is disabled. /usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13) 140420 22:42:56 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it. 140420 22:42:56 InnoDB: The InnoDB memory heap is disabled 140420 22:42:56 InnoDB: Mutexes and rw_locks use GCC atomic builtins 140420 22:42:56 InnoDB: Compressed tables use zlib 1.2.8 140420 22:42:56 InnoDB: Using Linux native AIO 140420 22:42:56 InnoDB: Initializing buffer pool, size = 128.0M 140420 22:42:56 InnoDB: Completed initialization of buffer pool 140420 22:42:56 InnoDB: highest supported file format is Barracuda. 140420 22:42:57 InnoDB: Waiting for the background threads to start 140420 22:42:58 InnoDB: 5.5.35 started; log sequence number 242217316 140420 22:42:58 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306 140420 22:42:58 [Note] - '127.0.0.1' resolves to '127.0.0.1'; 140420 22:42:58 [Note] Server socket created on IP: '127.0.0.1'. 140420 22:42:58 [ERROR] /usr/sbin/mysqld: Can't find file: './mysql/host.frm' (errno: 13) 140420 22:42:58 [ERROR] Fatal error: Can't open and lock privilege tables: Can't find file: './mysql/host.frm' (errno: 13) 140420 22:42:58 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead. 140420 22:42:58 [Note] Plugin 'FEDERATED' is disabled. /usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13) 140420 22:42:58 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it. 140420 22:42:58 InnoDB: The InnoDB memory heap is disabled 140420 22:42:58 InnoDB: Mutexes and rw_locks use GCC atomic builtins 140420 22:42:58 InnoDB: Compressed tables use zlib 1.2.8 140420 22:42:58 InnoDB: Using Linux native AIO 140420 22:42:58 InnoDB: Initializing buffer pool, size = 128.0M 140420 22:42:58 InnoDB: Completed initialization of buffer pool 140420 22:42:59 InnoDB: highest supported file format is Barracuda. 140420 22:42:59 InnoDB: Waiting for the background threads to start 140420 22:43:00 InnoDB: 5.5.35 started; log sequence number 242217316 140420 22:43:00 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306 140420 22:43:00 [Note] - '127.0.0.1' resolves to '127.0.0.1'; 140420 22:43:00 [Note] Server socket created on IP: '127.0.0.1'. 140420 22:43:00 [ERROR] /usr/sbin/mysqld: Can't find file: './mysql/host.frm' (errno: 13) 140420 22:43:00 [ERROR] Fatal error: Can't open and lock privilege tables: Can't find file: './mysql/host.frm' (errno: 13) 140420 22:43:01 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead. 140420 22:43:01 [Note] Plugin 'FEDERATED' is disabled. /usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13) 140420 22:43:01 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it. 140420 22:43:01 InnoDB: The InnoDB memory heap is disabled 140420 22:43:01 InnoDB: Mutexes and rw_locks use GCC atomic builtins 140420 22:43:01 InnoDB: Compressed tables use zlib 1.2.8 140420 22:43:01 InnoDB: Using Linux native AIO 140420 22:43:01 InnoDB: Initializing buffer pool, size = 128.0M 140420 22:43:01 InnoDB: Completed initialization of buffer pool 140420 22:43:01 InnoDB: highest supported file format is Barracuda. 140420 22:43:01 InnoDB: Waiting for the background threads to start 140420 22:43:02 InnoDB: 5.5.35 started; log sequence number 242217316 140420 22:43:02 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306 140420 22:43:02 [Note] - '127.0.0.1' resolves to '127.0.0.1'; 140420 22:43:02 [Note] Server socket created on IP: '127.0.0.1'. 140420 22:43:02 [ERROR] /usr/sbin/mysqld: Can't find file: './mysql/host.frm' (errno: 13) 140420 22:43:02 [ERROR] Fatal error: Can't open and lock privilege tables: Can't find file: './mysql/host.frm' (errno: 13)
-
Panther about 10 yearsIf chmod works I presume it is a permissions problem and not an apparmor problem. If you still feel it is an apparmor problem, post the apparmor measages from the logs.
-
谈 超 about 10 yearsIt is a permission problem, but shouldn't apparmor take care of this? The folder is owned by mysql user and group. I am referring to
/home/db
. -
Panther about 10 yearsAssuming /home/db is owned by mysql, directories should work with permissions of 700 and files with 600 . Apparmor does NOT over ride standard permissions - "AppArmor provides an additional permission check to DAC. DAC is always checked in addition to the AppArmor permission checks. As such, AppArmor cannot override DAC to provide more access than what would be normally allowed. "
-
谈 超 about 10 yearsyou are correct. I was just testing this before reading your reply.
sudo chmod 700 -R /home/db
also seems to fix this. Thanks.
-
谈 超 about 10 yearsthe solution is:
sudo chmod -R 600 /home/db; sudo chmod 700 /home/db; sudo find /home/db -type d -exec chmod 700 {} \;
-
Panther about 10 yearsGlad you got it sorted out and I hope you learned a little something along the way ;)