Audit errors reported by linux kernel - why you must care

By Stephane Carrez

On Ubuntu 8.04 running a Linux 2.6.24 kernel, you may see some strange error logs reported by dmesg. First you will look at them, you'll wonder where they come from and you will soon ignore them. You should better fix the problem, in most cases they p

Today I had to migrate the mysql storage to another partition because the /var partition was not large enough and the database was growing. After moving the files, updating the mysql configuration files to point to the new partition, mysql refused to start: it pretend it had no permission to access the directory. The directory was owned by mysql and it had the all the rights to write on files. What could happen?

After looking at the kernel logs, I saw this kind of message:

[173919.699270] audit(1229883052.863:39): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/data/var/mysql" pid=21625 profile="/usr/sbin/mysqld" namespace="default"

This kernel log is produced by the AppArmor kernel extension which restricts the access to resources to programs. Indeed, it tells that /usr/sbin/mysqld is not able to access the file /data/var/mysql. To fix the problem, you have to change the AppArmor configuration by editing the file /etc/apparmor.d/usr.sbin.mysqld.

 # vim:syntax=apparmor
 # Last Modified: Tue Jun 19 17:37:30 2007
 #include <tunables/global>

 /usr/sbin/mysqld {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/mysql>

  capability dac_override,
  capability setgid,
  capability setuid,

  /etc/hosts.allow r,
  /etc/hosts.deny r,

  /etc/group              m,
  /etc/passwd             m,

  /etc/mysql/*.pem r,
  /etc/mysql/conf.d/ r,
  /etc/mysql/conf.d/* r,
  /etc/mysql/my.cnf r,
  /usr/sbin/mysqld mr,
  /usr/share/mysql/** r,
 __ /var/lib/mysql/ r,__     #  ''Must be updated''
  __/var/lib/mysql/** rwk,__  # ''Must be updated''
  /var/log/mysql/ r,
  /var/log/mysql/* rw,
  /var/run/mysqld/ w,
  /var/run/mysqld/mysqld.sock w,

The two lines must be fixed to point to the new directory, in the example:

 __ /data/var/mysql/ r,__
  __/data/var/mysql/* rw,__

After changing the files, you must restart Apparmor:

$ sudo /etc/init.d/apparmor restart

After the fix, the mysql server was able to start again and the audit error was not reported any more.

Add a comment

To add a comment, you must be connected. Login