Hello, Am Mittwoch, 21. Oktober 2020, 16:46:12 CEST schrieb Bossler Daniela: > We want to open a posix message queue in a user defined function under > mysqld. Mysqld has a apparmor-profile without any queue access rigths > (/dev/mqueue). We added /dev/mqueue/** rw to the profile but mysqld > can not open any queue with mq_open(). Next we tried to add the queue > name to the profil (/sp-example-server w,), but the problem/bug? is > that the profile entries must begin with a "/" and the queue names > are passed by mq_open to apparmor without the slash. So it's not > possible to allow access to the posix-queue. > > Is there a workaround?
My crystal ball says that you get a log entry like this: (irrelevant and unguessable ;-) parts replaced with "...") type=AVC msg=audit(...): apparmor="DENIED" operation="..." info="Failed name lookup - disconnected path" error=-13 profile="..." name="sp-example-server" pid=... comm="..." requested_mask="w" denied_mask="w" fsuid=... ouid=... If my guess is right and the message really reports "disconnected path", then you'll need to add the attach_disconnected flag to the profile, something like: profile mysql /usr/bin/mysqld flags=(attach_disconnected { If my guess was wrong, please provide the audit.log messages you see - they would help to clean the nebulous areas on my crystal ball ;-) Regards, Christian Boltz PS: non-random signature ;-) -- you could be correct in that bugzilla may not be useful in predicting either when the bug will be resolved, or the weather next month. so, maybe subscribe to [opensuse-crystal_ball] is the best bet. [DenverD in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.