Dear All, I have run in an unexpected dependency conflict while trying to install mysql server on a SELinux hardened Ubuntu 16.04 LTS.
Reviewing the instructions at the "ReportingBugs" help.ubuntu.com page, I think this here is the correct place to discuss. If not, please gently direct me to the right place. It's my first post here. A search of the mailing list archives did not return results I could relate to my question. Observed Problem: ----------------- Trying to install mysql-server and thereby mysql-server-5.7 on a 16.04 LTS system (server-edition) with selinux installed, aborts with aptitude complaining that "apparmor" is needed, but not to be installed. Cycling through the dependency resolution suggestions from aptitude only offers to either uninstall selinux or not install mysql-server. (See typescript and versions below) Expected behaviour: ------------------- Server / daemon software such as mysql-server should not have a hard dependency on any specific Linux Security Module, but depend either on none or on all in a "one of the following needed" fashion. Steps to reproduce: ------------------- a) indirect: just review the dependencies of mysql-server-5.7 by any preferred way b) direct: b.1) install selinux and dependencies (note: selinux-policy-ubuntu is broken and does not install, explicitly select selinux-policy-default while requesting selinux). No need to actually activate it. b.2) run "aptitude install mysql-server" Question: --------- I suppose this to be a packaging bug, but if it is instead intended behaviour, then I'd like to learn why mysql-server has a hard dependency on apparmor (and only apparmor, of all the various Linux Security Modules out there). I'd also like to learn where to discuss possible reconsideration, or what my options are to get mysql-server installed on my SELinux hardened system. Note: I am not trying to discuss the specific merits or shortcomings of apparmor or SELinux. For me, they serve related, but different, purposes and both have there respective use. After careful review of both options, I concluded that for my needs SELinux is the better suited choice. Best regards Björn Appendix: --------- a) Relevant software versions installed: ---------------------------------------- > ***@ubuntu:~$ dpkg-query -l $(aptitude search '~i selinux' | cut -c 4-30) > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ Name Version Architecture > Description > +++-==========================-==================-==================-========================================================= > ii libselinux1:amd64 2.4-3build2 amd64 SELinux > runtime shared libraries > ii python-selinux 2.4-3build2 amd64 Python > bindings to SELinux shared libraries > ii python3-selinux 2.4-3build2 amd64 Python3 > bindings to SELinux shared libraries > ii selinux 1:0.11 all > Security-Enhanced Linux runtime support > ii selinux-basics 0.5.2 all SELinux > basic support > ii selinux-policy-default 2:2.20140421-9 all Strict > and Targeted variants of the SELinux policy > ii selinux-policy-dev 2:2.20140421-9 all Headers > from the SELinux reference policy for building mo > ii selinux-policy-src 2:2.20140421-9 all Source > of the SELinux reference policy for customization > ii selinux-utils 2.4-3build2 amd64 SELinux > utility programs > ***@ubuntu:~$ apt-cache policy selinux mysql-server-5.7 apparmor > selinux: > Installed: 1:0.11 > Candidate: 1:0.11 > Version table: > *** 1:0.11 500 > 500 http://de.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages > 500 http://de.archive.ubuntu.com/ubuntu xenial/universe i386 Packages > 100 /var/lib/dpkg/status > mysql-server-5.7: > Installed: (none) > Candidate: 5.7.16-0ubuntu0.16.04.1 > Version table: > 5.7.16-0ubuntu0.16.04.1 500 > 500 http://de.archive.ubuntu.com/ubuntu xenial-updates/main amd64 > Packages > 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 > Packages > 5.7.11-0ubuntu6 500 > 500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages > apparmor: > Installed: (none) > Candidate: 2.10.95-0ubuntu2.5 > Version table: > 2.10.95-0ubuntu2.5 500 > 500 http://de.archive.ubuntu.com/ubuntu xenial-updates/main amd64 > Packages > 2.10.95-0ubuntu2 500 > 500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages b) Typescript of failed attempt ------------------------------- > root@ubuntu ~ # se_aptitude --without-recommends install mysql-server > Authenticating ***. > Password: > The following NEW packages will be installed: > apparmor{a} libapparmor-perl{a} libevent-core-2.0-5{a} mysql-client-5.7{a} > mysql-client-core-5.7{a} mysql-common{a} > mysql-server mysql-server-5.7{a} mysql-server-core-5.7{a} > The following packages are RECOMMENDED but will NOT be installed: > libhtml-template-perl > 0 packages upgraded, 9 newly installed, 0 to remove and 8 not upgraded. > Need to get 18.7 MB of archives. After unpacking 162 MB will be used. > The following packages have unmet dependencies: > selinux : Conflicts: apparmor but 2.10.95-0ubuntu2.5 is to be installed. > The following actions will resolve these dependencies: > > Remove the following packages: > 1) selinux > > > > Accept this solution? [Y/n/q/?] n > The following actions will resolve these dependencies: > > Keep the following packages at their current version: > 1) apparmor [Not Installed] > 2) mysql-server [Not Installed] > 3) mysql-server-5.7 [Not Installed] > > > > Accept this solution? [Y/n/q/?] n > > *** No more solutions available *** > > The following actions will resolve these dependencies: > > Keep the following packages at their current version: > 1) apparmor [Not Installed] > 2) mysql-server [Not Installed] > 3) mysql-server-5.7 [Not Installed] > > > > Accept this solution? [Y/n/q/?] q > Abandoning all efforts to resolve these dependencies. > Abort. -- | Bjoern Kahl +++ Siegburg +++ Germany | | "mls@-my-domain-" +++ www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss