Bug#1010576: akonadi cannot kill mysql due to apparmor rules

2022-06-20 Thread Hefee 
Hi,

the fix is already in master, it is actually just a typo in the profile name:
https://invent.kde.org/pim/akonadi/-/commit/
a6fb4c7de13eed9d90237388113425413bf4d733

that may be worth to backport.
 
> If I set akonadi's profile to complain instead of enforce, akonadi can
> kill mysql ok:
> 
> sudo aa-complain /etc/apparmor.d/usr.bin.akonadiserver
> sudo systemctl reload apparmor.service

you don't need to restart apparmor after set akonadiserver to complain mode.


> Somehow mysql should be running in the mysqld_akonadi profile but it is
> running in fact unconstrained and therefore akonadiserver is not allowed
> to send a signal to it. Don't know how to fix that, though.

I see the same apparmor issue, but Akonadi is still not able to kill mariadb 
process.

 
> I suspect the fact that mysql hangs after suspend/resume is a different
> bug in mysql.

yepp - But I have no idea how to debug this.

regards,

hefee

signature.asc
Description: This is a digitally signed message part.

Bug#1010576: akonadi cannot kill mysql due to apparmor rules

2022-06-16 Thread Stefan Fritsch 



Hi,

I have the problem that after suspend/resume, if I shut down the system, 
systemd complains that mysql does not die. I  have wondered, why akonadi 
does not kill mysql and it is because of akonadi's apparmor rules:



Jun 16 11:24:45 k kernel: [ 4096.077336] audit: type=1400 
audit(1655371485.959:102): apparmor="DENIED" operation="signal" 
profile="/usr/bin/akonadiserver" pid=16671 comm="akonadiserver" 
requested_mask="send" denied_mask="send" signal=term peer="unconfined"
Jun 16 11:24:48 k kernel: [ 4099.080389] audit: type=1400 
audit(1655371488.963:103): apparmor="DENIED" operation="signal" 
profile="/usr/bin/akonadiserver" pid=16671 comm="akonadiserver" 
requested_mask="send" denied_mask="send" signal=kill peer="unconfined"


If I set akonadi's profile to complain instead of enforce, akonadi can 
kill mysql ok:


sudo aa-complain /etc/apparmor.d/usr.bin.akonadiserver
sudo systemctl reload apparmor.service


Somehow mysql should be running in the mysqld_akonadi profile but it is 
running in fact unconstrained and therefore akonadiserver is not allowed 
to send a signal to it. Don't know how to fix that, though.


I suspect the fact that mysql hangs after suspend/resume is a different 
bug in mysql.


Cheers,
Stefan