Dear All,
I have run in an unexpected dependency conflict while trying to install
mysql server on a SELinux hardened Ubuntu 16.04 LTS.
Reviewing the instructions at the "ReportingBugs" help.ubuntu.com
page, I think this here is the correct place to discuss. If not,
please gently direct me to the right place. It's my first post here.
A search of the mailing list archives did not return results I could
relate to my question.
Observed Problem:
-----------------
Trying to install mysql-server and thereby mysql-server-5.7 on a
16.04 LTS system (server-edition) with selinux installed, aborts with
aptitude complaining that "apparmor" is needed, but not to be
installed.
Cycling through the dependency resolution suggestions from aptitude
only offers to either uninstall selinux or not install mysql-server.
(See typescript and versions below)
Expected behaviour:
-------------------
Server / daemon software such as mysql-server should not have a hard
dependency on any specific Linux Security Module, but depend either on
none or on all in a "one of the following needed" fashion.
Steps to reproduce:
-------------------
a) indirect: just review the dependencies of mysql-server-5.7 by any
preferred way
b) direct:
b.1) install selinux and dependencies (note: selinux-policy-ubuntu is
broken and does not install, explicitly select selinux-policy-default
while requesting selinux). No need to actually activate it.
b.2) run "aptitude install mysql-server"
Question:
---------
I suppose this to be a packaging bug, but if it is instead intended
behaviour, then I'd like to learn why mysql-server has a hard
dependency on apparmor (and only apparmor, of all the various Linux
Security Modules out there). I'd also like to learn where to discuss
possible reconsideration, or what my options are to get mysql-server
installed on my SELinux hardened system.
Note:
I am not trying to discuss the specific merits or shortcomings of
apparmor or SELinux. For me, they serve related, but different,
purposes and both have there respective use. After careful review of
both options, I concluded that for my needs SELinux is the better
suited choice.
Best regards
Björn
Appendix:
---------
a) Relevant software versions installed:
----------------------------------------
> ***@ubuntu:~$ dpkg-query -l $(aptitude search '~i selinux' | cut -c 4-30)
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name Version Architecture
> Description
> +++-==========================-==================-==================-=========================================================
> ii libselinux1:amd64 2.4-3build2 amd64 SELinux
> runtime shared libraries
> ii python-selinux 2.4-3build2 amd64 Python
> bindings to SELinux shared libraries
> ii python3-selinux 2.4-3build2 amd64 Python3
> bindings to SELinux shared libraries
> ii selinux 1:0.11 all
> Security-Enhanced Linux runtime support
> ii selinux-basics 0.5.2 all SELinux
> basic support
> ii selinux-policy-default 2:2.20140421-9 all Strict
> and Targeted variants of the SELinux policy
> ii selinux-policy-dev 2:2.20140421-9 all Headers
> from the SELinux reference policy for building mo
> ii selinux-policy-src 2:2.20140421-9 all Source
> of the SELinux reference policy for customization
> ii selinux-utils 2.4-3build2 amd64 SELinux
> utility programs
> ***@ubuntu:~$ apt-cache policy selinux mysql-server-5.7 apparmor
> selinux:
> Installed: 1:0.11
> Candidate: 1:0.11
> Version table:
> *** 1:0.11 500
> 500 http://de.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
> 500 http://de.archive.ubuntu.com/ubuntu xenial/universe i386 Packages
> 100 /var/lib/dpkg/status
> mysql-server-5.7:
> Installed: (none)
> Candidate: 5.7.16-0ubuntu0.16.04.1
> Version table:
> 5.7.16-0ubuntu0.16.04.1 500
> 500 http://de.archive.ubuntu.com/ubuntu xenial-updates/main amd64
> Packages
> 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
> Packages
> 5.7.11-0ubuntu6 500
> 500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
> apparmor:
> Installed: (none)
> Candidate: 2.10.95-0ubuntu2.5
> Version table:
> 2.10.95-0ubuntu2.5 500
> 500 http://de.archive.ubuntu.com/ubuntu xenial-updates/main amd64
> Packages
> 2.10.95-0ubuntu2 500
> 500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
b) Typescript of failed attempt
-------------------------------
> root@ubuntu ~ # se_aptitude --without-recommends install mysql-server
> Authenticating ***.
> Password:
> The following NEW packages will be installed:
> apparmor{a} libapparmor-perl{a} libevent-core-2.0-5{a} mysql-client-5.7{a}
> mysql-client-core-5.7{a} mysql-common{a}
> mysql-server mysql-server-5.7{a} mysql-server-core-5.7{a}
> The following packages are RECOMMENDED but will NOT be installed:
> libhtml-template-perl
> 0 packages upgraded, 9 newly installed, 0 to remove and 8 not upgraded.
> Need to get 18.7 MB of archives. After unpacking 162 MB will be used.
> The following packages have unmet dependencies:
> selinux : Conflicts: apparmor but 2.10.95-0ubuntu2.5 is to be installed.
> The following actions will resolve these dependencies:
>
> Remove the following packages:
> 1) selinux
>
>
>
> Accept this solution? [Y/n/q/?] n
> The following actions will resolve these dependencies:
>
> Keep the following packages at their current version:
> 1) apparmor [Not Installed]
> 2) mysql-server [Not Installed]
> 3) mysql-server-5.7 [Not Installed]
>
>
>
> Accept this solution? [Y/n/q/?] n
>
> *** No more solutions available ***
>
> The following actions will resolve these dependencies:
>
> Keep the following packages at their current version:
> 1) apparmor [Not Installed]
> 2) mysql-server [Not Installed]
> 3) mysql-server-5.7 [Not Installed]
>
>
>
> Accept this solution? [Y/n/q/?] q
> Abandoning all efforts to resolve these dependencies.
> Abort.
--
| Bjoern Kahl +++ Siegburg +++ Germany |
| "mls@-my-domain-" +++ www.bjoern-kahl.de |
| Languages: German, English, Ancient Latin (a bit :-)) |
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
