Solution apparmor=”DENIED” operation=”open” profile=”/usr/sbin/mysqld”

Once optimizing one of the servers, I executed the command:

dmesg

And I saw the following messages:

audit: type=1400 audit(1542000766.356:9): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/10730/status" pid=10730 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=109 ouid=109
audit: type=1400 audit(1542000766.356:10): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=10730 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=109 ouid=0
audit: type=1400 audit(1542000766.356:11): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/10730/status" pid=10730 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=109 ouid=109

Judging by the reports, apparmor blocked access to the MySQL server process to some necessary objects, but at the same time MySQL server started and worked successfully.

To solve the problem, the configuration file in a text editor:

nano /etc/apparmor.d/usr.sbin.mysqld

And immediately after:

/usr/sbin/mysqld {

Add (at the beginning of each line two spaces):

  /proc/*/status r,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/node*/meminfo r,

After that, restart apparmor:

service apparmor reload

After that, these messages in dmesg are no longer seen.

Join the Conversation

3 Comments

Leave a Reply

  1. a missing space after the # in /etc/apparmor.d/usr.sbin.mysqld
    # Site-specific additions and overrides. See local/README for details.
    #include
    make the apparmor fail at start

  2. In Debian it is really much simpler! Install the package apparmor-utils which provides the utility aa-disable:

    #sudo apt install apparmor-utils
    and then just run
    #aa-disable mysqld

    and start mysql!

    1. Well… In such case why don’t you just disable AppArmor completely?
      Post author tells people to fix mysql apparmor profile, while you tell people to disable the profile.

      Disabled profile means no security for given process.
      Fixed profile means process is still secured by apparmor.

      Think a bit before posting “simpler solutions”…