Sometime, if you face a situation when you think that you have all the permission set correctly but still system is throwing permission denied error, it is because AppArmor is denying permission. AppArmor is a security module in linux system which is responsible for app level permission. So, I have faced a similar situation where all my permission was correct but I was still getting permission denied error. For testing some stuff I have modified my mysql config file (/etc/mysql/my.cnf
) and changed the socket file name from
[mysqld] pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock
to
[mysqld] pid-file = /var/run/mysqld/mysqld2.pid socket = /var/run/mysqld/mysqld2.sock
After making this change mysql server was not starting. After I checked the error log I found following error
2014-11-01 23:20:17 20241 [Note] Server socket created on IP: ‘127.0.0.1’. 2014-11-01 23:20:17 20241 [ERROR] Can’t start server : Bind on unix socket: Permission denied 2014-11-01 23:20:17 20241 [ERROR] Do you already have another mysqld server running on socket: /var/run/mysqld/mysqld2.sock ? 2014-11-01 23:20:17 20241 [ERROR] Aborting
After few hours of debugging and hair-pulling I found that the AppArmor was denying the permission. You can make sure of this by checking syslog. You should find something similar in /var/log/syslog
Nov 1 23:20:17 runishk-u14 kernel: [17877.992824] audit: type=1400 audit(1414864217.921:64): apparmor=”DENIED” operation=”mknod” profile=”/usr/sbin/mysqld” name=”/run/mysqld/mysqld2.sock” pid=20241 comm=”mysqld” requested_mask=”c” denied_mask=”c” fsuid=116 ouid=116
Once you are sure that AppAromor is denying the permission, you need to add few lines in /etc/apparmor.d/local/usr.sbin.mysqld
/var/run/mysqld/mysqld2.pid rw, /var/run/mysqld/mysqld2.sock w, /run/mysqld/mysqld2.pid rw, /run/mysqld/mysqld2.sock w,
Here we are telling AppArmor to allow mysqld service to read/write pid file and read socket file. You can also take a look at the predefined permission set for mysqld service at /etc/apparmor.d/usr.sbin.mysqld
. Once you have made changes to the apparmor local file, run following command to tell apparmor to re-parse the file for modified permission
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld
That’s it. MySQL service should start working again. Hope this help you save your time 🙂 Via: http://techybums.com/apparmor-permission-mysql-ubuntu/