Bug#1130272: mariadb-server: mariadbd AppArmor profile denies MTR accesses in enforce mode

Tue, 10 Mar 2026 12:45:14 -0700 

Package: mariadb-server
X-Debbugs-Cc: [email protected]
Version: 1:11.8.6-2
Severity: normal

Hello,
The shipped AppArmor profile for mariadbd denies accesses during mariadb test runs in enforce mode.
I am not claiming that all observed MTR test failures are caused by AppArmor. Some testcase failures appear to be unrelated. For instance, rpl.rpl_blackhole_row_annotate currently shows a result mismatch due to the extra "from Debian-log" string in the binlog output, which does not look like an AppArmor permission failure. 

However, the AppArmor denials are real and reproducible.

Observed denials include:

  apparmor="DENIED" operation="mknod" class="file" profile="mariadbd" \
  name="/usr/share/mariadb/mariadb-test/mariadb-app.lower-test" \
  requested_mask="c" denied_mask="c"

  apparmor="DENIED" operation="open" class="file" profile="mariadbd" \
  name="/sys/block/" requested_mask="r" denied_mask="r"
For comparison, when the profile is set to complain mode, the same accesses are logged as ALLOWED instead of DENIED. 

Steps to reproduce:

1. Set up a Debian unstable VM or container and install mariadb-server

2. Set the profile to enforce mode:
   aa-enforce /usr/sbin/mariadbd

3. Run an MTR testcase, for instance:
   ./mariadb-test-run --vardir=/var/tmp/mtrvar --force rpl.rpl_blackhole_row_annotate 

4. Inspect /var/log/audit/audit.log

Example audit log excerpts:
  type=AVC msg=audit(...): apparmor="DENIED" operation="mknod" class="file" profile="mariadbd" name="/usr/share/mariadb/mariadb-test/mariadb-app.lower-test" pid=1049 comm="mariadbd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000   type=AVC msg=audit(...): apparmor="DENIED" operation="open" class="file" profile="mariadbd" name="/sys/block/" pid=1055 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
This suggests that the shipped mariadbd AppArmor profile does not currently allow at least some accesses exercised by MTR in this environment.
I am still investigating the exact impact of these denials on the observed MTR failures. 

Environment used:

* Debian unstable
* MariaDB 11.8.6-MariaDB-2
* AppArmor enabled

Cheers,
Aquila Macedo

Reply via email to