Package: mariadb-server
Version: 1:11.8.6-4
Severity: normal
Dear Maintainer,
I’m using Debian/Testing with sysvinit. MariaDB doesn’t start anymore
with the new enforcing apparmor profile.
osgiliath:~# date; service mariadb start
Fr 27. Mär 10:45:23 CET 2026
Starting MariaDB database server: mariadbd . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .
260327 10:45:53 mysqld_safe Can't log to error log and syslog at the same time.
Remove all --log-error configuration options for --syslog to take effect.
260327 10:45:53 mysqld_safe Logging to '/tmp/tmp.E6JnB7r1Em.err'.
260327 10:45:53 mysqld_safe Starting mariadbd daemon with databases from
/var/lib/mysql
Running '/etc/init.d/mariadb start' failed with error log:
260327 10:45:53 mysqld_safe Starting mariadbd daemon with databases from
/var/lib/mysql
2026-03-27 10:45:53 0 [Warning] Could not increase number of max_open_files to
more than 1024 (request: 32139)
2026-03-27 10:45:53 0 [Warning] Changed limits: max_open_files: 1024
max_connections: 100 (was 100) table_cache: 447 (was 2000)
2026-03-27 10:45:53 0 [Warning] Can't create test file
'/var/lib/mysql/osgiliath.lower-test' (Errcode: 13 "Permission denied")
/usr/sbin/mariadbd: Can't change dir to '/var/lib/mysql/' (Errcode: 13
"Permission denied")
2026-03-27 10:45:53 0 [ERROR] Aborting
260327 10:45:53 mysqld_safe mysqld from pid file /run/mysqld/mysqld.pid ended
/var/log/kern.log shows:
2026-03-27T10:45:23.200360+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604723.198:4319): apparmor="DENIED" operation="capable" class="cap"
profile="mariadbd" pid=16450 comm="mariadbd" capability=24
capname="sys_resource"
2026-03-27T10:45:23.208387+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604723.206:4320): apparmor="DENIED" operation="capable" class="cap"
profile="mariadbd" pid=16450 comm="mariadbd" capability=2
capname="dac_read_search"
2026-03-27T10:45:23.208395+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604723.206:4321): apparmor="DENIED" operation="capable" class="cap"
profile="mariadbd" pid=16450 comm="mariadbd" capability=1
capname="dac_override"
2026-03-27T10:45:53.661371+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604753.660:4322): apparmor="DENIED" operation="capable" class="cap"
profile="mariadbd" pid=16902 comm="mariadbd" capability=24
capname="sys_resource"
2026-03-27T10:45:53.669378+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604753.668:4323): apparmor="DENIED" operation="capable" class="cap"
profile="mariadbd" pid=16902 comm="mariadbd" capability=2
capname="dac_read_search"
2026-03-27T10:45:53.669398+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604753.668:4324): apparmor="DENIED" operation="capable" class="cap"
profile="mariadbd" pid=16902 comm="mariadbd" capability=1
capname="dac_override"
In complaining mode MariaDB is starting and I see the following apparmor
logs:
2026-03-27T10:47:39.688360+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604859.686:4326): apparmor="ALLOWED" operation="capable" class="cap"
profile="mariadbd" pid=17110 comm="mariadbd" capability=24
capname="sys_resource"
2026-03-27T10:47:39.696374+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604859.694:4327): apparmor="ALLOWED" operation="capable" class="cap"
profile="mariadbd" pid=17110 comm="mariadbd" capability=2
capname="dac_read_search"
2026-03-27T10:47:39.696393+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604859.694:4328): apparmor="ALLOWED" operation="capable" class="cap"
profile="mariadbd" pid=17110 comm="mariadbd" capability=1
capname="dac_override"
2026-03-27T10:47:39.697356+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604859.695:4329): apparmor="ALLOWED" operation="capable" class="cap"
profile="mariadbd" pid=17110 comm="mariadbd" capability=6 capname="setgid"
2026-03-27T10:47:39.697373+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604859.695:4330): apparmor="ALLOWED" operation="capable" class="cap"
profile="mariadbd" pid=17110 comm="mariadbd" capability=6 capname="setgid"
2026-03-27T10:47:39.697374+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604859.695:4331): apparmor="ALLOWED" operation="capable" class="cap"
profile="mariadbd" pid=17110 comm="mariadbd" capability=7 capname="setuid"
2026-03-27T10:47:39.709349+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604859.707:4332): apparmor="ALLOWED" operation="open" class="file"
profile="mariadbd"
name="/sys/devices/pci0000:00/0000:00:1f.2/ata2/host1/target1:0:0/1:0:0:0/block/sdb/dev"
pid=17110 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=122 ouid=0
2026-03-27T10:47:39.709353+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604859.707:4333): apparmor="ALLOWED" operation="open" class="file"
profile="mariadbd"
name="/sys/devices/pci0000:00/0000:00:1f.2/ata6/host5/target5:0:0/5:0:0:0/block/sr0/dev"
pid=17110 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=122 ouid=0
2026-03-27T10:47:39.710385+01:00 osgiliath kernel: [ T58] audit: type=1400
audit(1774604859.708:4334): apparmor="ALLOWED" operation="open" class="file"
profile="mariadbd"
name="/sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/dev"
pid=17110 comm="mariadbd" requested_mask="r" denied_mask="r" fsuid=122 ouid=0
Many greetings,
Stephan Seitz
-- System Information:
Debian Release: forky/sid
APT prefers stable-security
APT policy: (900, 'stable-security'), (900, 'oldoldstable-updates'), (900,
'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.19.10 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages mariadb-server depends on:
ii debconf [debconf-2.0] 1.5.92
ii galera-4 26.4.25-2
ii gawk 1:5.3.2-1
ii iproute2 6.19.0-1
ii libc6 2.42-13
ii libdbi-perl 1.647-1+b1
ii libgcc-s1 16-20260308-1
ii libpam0g 1.7.0-5+b1
ii libssl3t64 3.6.1-3
ii libstdc++6 16-20260308-1
ii lsof 4.99.4+dfsg-2
ii mariadb-client 1:11.8.6-4
ii mariadb-common 1:11.8.6-4
ii mariadb-server-core 1:11.8.6-4
ii passwd 1:4.18.0-2
ii perl 5.40.1-7
ii procps 2:4.0.4-9+b1
ii psmisc 23.7-2
ii rsync 3.4.1+ds1-7
ii socat 1.8.1.1-1
ii systemd-standalone-sysusers [systemd-sysusers] 260.1-1
ii zlib1g 1:1.3.dfsg+really1.3.1-3
Versions of packages mariadb-server recommends:
ii libhtml-template-perl 2.97-2
ii mariadb-plugin-provider-bzip2 1:11.8.6-4
ii mariadb-plugin-provider-lz4 1:11.8.6-4
ii mariadb-plugin-provider-lzma 1:11.8.6-4
ii mariadb-plugin-provider-lzo 1:11.8.6-4
ii mariadb-plugin-provider-snappy 1:11.8.6-4
ii pv 1.10.4-1
Versions of packages mariadb-server suggests:
ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1.1
pn mariadb-test <none>
pn netcat-openbsd <none>
-- Configuration Files:
/etc/mysql/mariadb.conf.d/50-server.cnf changed [not included]
-- debconf information excluded
--
| If your life was a horse, you'd have to shoot it. |
