Packaging/Dependency problem with mysql-server and apparmor vs. selinux (16.04 LTS)

Bjoern Kahl mls at bjoern-kahl.de
Fri Nov 11 21:48:22 UTC 2016 

 Dear All,

 I have run in an unexpected dependency conflict while trying to install
 mysql server on a SELinux hardened Ubuntu 16.04 LTS.

 Reviewing the instructions at the "ReportingBugs" help.ubuntu.com
 page, I think this here is the correct place to discuss.  If not,
 please gently direct me to the right place. It's my first post here.

 A search of the mailing list archives did not return results I could
 relate to my question.



 Observed Problem:
 -----------------

 Trying to install mysql-server and thereby mysql-server-5.7 on a
 16.04 LTS system (server-edition) with selinux installed, aborts with
 aptitude complaining that "apparmor" is needed, but not to be
 installed.

 Cycling through the dependency resolution suggestions from aptitude
 only offers to either uninstall selinux or not install mysql-server.

 (See typescript and versions below)


 Expected behaviour:
 -------------------

 Server / daemon software such as mysql-server should not have a hard
 dependency on any specific Linux Security Module, but depend either on
 none or on all in a "one of the following needed" fashion.


 Steps to reproduce:
 -------------------

 a) indirect: just review the dependencies of mysql-server-5.7 by any
    preferred way

 b) direct:

 b.1) install selinux and dependencies (note: selinux-policy-ubuntu is
 broken and does not install, explicitly select selinux-policy-default
 while requesting selinux).  No need to actually activate it.

 b.2) run "aptitude install mysql-server"


 Question:
 ---------

 I suppose this to be a packaging bug, but if it is instead intended
 behaviour, then I'd like to learn why mysql-server has a hard
 dependency on apparmor (and only apparmor, of all the various Linux
 Security Modules out there).  I'd also like to learn where to discuss
 possible reconsideration, or what my options are to get mysql-server
 installed on my SELinux hardened system.

 Note:
 I am not trying to discuss the specific merits or shortcomings of
 apparmor or SELinux.  For me, they serve related, but different,
 purposes and both have there respective use.  After careful review of
 both options, I concluded that for my needs SELinux is the better
 suited choice.


 Best regards

    Björn


 Appendix:
 ---------

 a) Relevant software versions installed:
 ----------------------------------------

> ***@ubuntu:~$ dpkg-query -l $(aptitude search '~i selinux' | cut -c 4-30)
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name                       Version            Architecture       Description
> +++-==========================-==================-==================-=========================================================
> ii  libselinux1:amd64          2.4-3build2        amd64              SELinux runtime shared libraries
> ii  python-selinux             2.4-3build2        amd64              Python bindings to SELinux shared libraries
> ii  python3-selinux            2.4-3build2        amd64              Python3 bindings to SELinux shared libraries
> ii  selinux                    1:0.11             all                Security-Enhanced Linux runtime support
> ii  selinux-basics             0.5.2              all                SELinux basic support
> ii  selinux-policy-default     2:2.20140421-9     all                Strict and Targeted variants of the SELinux policy
> ii  selinux-policy-dev         2:2.20140421-9     all                Headers from the SELinux reference policy for building mo
> ii  selinux-policy-src         2:2.20140421-9     all                Source of the SELinux reference policy for customization
> ii  selinux-utils              2.4-3build2        amd64              SELinux utility programs
> ***@ubuntu:~$ apt-cache policy selinux mysql-server-5.7 apparmor
> selinux:
>   Installed: 1:0.11
>   Candidate: 1:0.11
>   Version table:
>  *** 1:0.11 500
>         500 http://de.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
>         500 http://de.archive.ubuntu.com/ubuntu xenial/universe i386 Packages
>         100 /var/lib/dpkg/status
> mysql-server-5.7:
>   Installed: (none)
>   Candidate: 5.7.16-0ubuntu0.16.04.1
>   Version table:
>      5.7.16-0ubuntu0.16.04.1 500
>         500 http://de.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
>         500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
>      5.7.11-0ubuntu6 500
>         500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
> apparmor:
>   Installed: (none)
>   Candidate: 2.10.95-0ubuntu2.5
>   Version table:
>      2.10.95-0ubuntu2.5 500
>         500 http://de.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
>      2.10.95-0ubuntu2 500
>         500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages


 b) Typescript of failed attempt
 -------------------------------

> root at ubuntu ~ # se_aptitude --without-recommends install mysql-server
> Authenticating ***.
> Password:
> The following NEW packages will be installed:
>   apparmor{a} libapparmor-perl{a} libevent-core-2.0-5{a} mysql-client-5.7{a} mysql-client-core-5.7{a} mysql-common{a}
>   mysql-server mysql-server-5.7{a} mysql-server-core-5.7{a}
> The following packages are RECOMMENDED but will NOT be installed:
>   libhtml-template-perl
> 0 packages upgraded, 9 newly installed, 0 to remove and 8 not upgraded.
> Need to get 18.7 MB of archives. After unpacking 162 MB will be used.
> The following packages have unmet dependencies:
>  selinux : Conflicts: apparmor but 2.10.95-0ubuntu2.5 is to be installed.
> The following actions will resolve these dependencies:
> 
>      Remove the following packages:
> 1)     selinux
> 
> 
> 
> Accept this solution? [Y/n/q/?] n
> The following actions will resolve these dependencies:
> 
>      Keep the following packages at their current version:
> 1)     apparmor [Not Installed]
> 2)     mysql-server [Not Installed]
> 3)     mysql-server-5.7 [Not Installed]
> 
> 
> 
> Accept this solution? [Y/n/q/?] n
> 
> *** No more solutions available ***
> 
> The following actions will resolve these dependencies:
> 
>      Keep the following packages at their current version:
> 1)     apparmor [Not Installed]
> 2)     mysql-server [Not Installed]
> 3)     mysql-server-5.7 [Not Installed]
> 
> 
> 
> Accept this solution? [Y/n/q/?] q
> Abandoning all efforts to resolve these dependencies.
> Abort.


-- 
|     Bjoern Kahl   +++   Siegburg   +++    Germany     |
|     "mls at -my-domain-"   +++    www.bjoern-kahl.de     |
| Languages: German, English, Ancient Latin (a bit :-)) |

More information about the Ubuntu-devel-discuss mailing list