Hey, > There are two unrelated things in this discussion: thanks for clarification. > a) the need to update the pstgresql_akonadi AppArmor profile when using > the internal postgres service (= this mail) > > b) Sedat switched to using the system wide postgres (not relevant for > the AppArmor profile, except that it of course avoids the profile for > the internal postgres service) > > > (This in itself is not really supported by Akonadi; normally Akonadi > > is taking care about starting and stopping the database itself). So > > what is the advantage of starting/stopping postgres outside of > > Akonadi? > > I use Akonadi with my system-wide MySQL, so let me answer from my POV: > It avoids running another MySQL instance (I have a system-wide MySQL > running anyway), and my _impression_ (no hard facts) is that it works a > bit more stable than with the Akonadi-internal MySQL. I can only guess, > but maybe the internal MySQL gets stopped the hard way on logout if the > regular stop takes too long? > > Again: This is only my impression, I don't have hard facts. I use the internal MYSQL and didn't need to tweak anything. Maybe you would have to tweak the internal mysql settings for a better experience. The settings of akonadi are very conservative. But that is a totally unrelated topic. > > > > > BEFORE: profile postgresql_akonadi { > > > > AFTER: profile postgresql_akonadi flags=(attach_disconnected) { > > > > > > Right, the flags=(attach_disconnected) addition is the correct > > > fix. > > > > What does this flag do? > > The starting point was this message: > > [Thu Sep 3 15:27:34 2020] audit: type=1400 audit(1599139654.969:28): > apparmor="DENIED" operation="file_mmap" info="Failed name lookup - > disconnected path" error=-13 profile="postgresql_akonadi" name="" > pid=2126 comm="postgres" requested_mask="wr" denied_mask="wr" > fsuid=1000 ouid=1000 > > As you can see, the message in this specific case is about name="" > > The simplified explanation is that with attach_disconnected, this will > become name="/" - attach_disconnected prepends a / to paths that > aren't connected to the root filesystem namespace. Okay but what does name="/" do? why this helps? So far I understand the audit message, it tries to start "postgres" without shipping the complete path. But postgres command is never in normal path as this exists under /usr/lib/ postgresql/XX/bin/postgres so executing postgres fails anyway. But maybe we move this discussion to a Merge request to upstream, that we can than backport, so also others can learn: https://invent.kde.org/pim/akonadi/-/merge_requests/29 > > Does this mean, that every postgres service I > > start will be run under this profile? > > No. > > > Or can AppArmour distinguish > > between the system wide postgresql@12-main.service and the akonadi > > one (akonadi-dileks)? > > Yes, because the akonadi profile probably (at least I guess so, I don't > use Debian and never looked at the Akonadi profile) has a rule saying > /usr/bin/postgresql Cx -> postgresql_akonadi, > which means "if akonadi executes postgres, use the postgresql_akonadi > child profile". > > For the system-wide postgresql, the "if akonadi executes postgres" > condition won't match ;-) > > > Because keep in mind the profile > > postgresql_akonadi should only be added to this instance that is > > connected to akonadi and not the other postgres clusters. The idea of > > the profiles is that the non Akonadi instances of postgres and mysql > > don't get any akonadi profile attached. > > Right, and this won't change with the added flag. Okay thanks this helps already a lot. hefee
Attachment:
signature.asc
Description: This is a digitally signed message part.