≡ Menu

Ubuntu Linux: Disable Apparmor For Specific Profile / Service Such As Mysqld Server

AppArmor /usr/sbin/mysqld (27816) /usr/sbin/ntpd (31952) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.

You can also type the following command to see the list of the profiles currently loaded using /sys/kernel/security/apparmor/profiles file:
$ cat /sys/kernel/security/apparmor/profiles
Sample outputs:

/sys/kernel/security/apparmor/profiles
/usr/sbin/mysqld (enforce)
/usr/sbin/tcpdump (enforce)
/usr/sbin/ntpd (enforce)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
/sbin/dhclient (enforce)

All apparmor profiles are traditionally stored in files in /etc/apparmor.d/ directory under varous filenames.

Commands to disable one profile

The syntax is:

sudo ln -s /etc/apparmor.d/{profile.name-here} /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/{profile.name-name-here}

To disable a profile called mysql i.e. disable apparmore protection for mysql server, enter:

sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld

Verify that mysqld protection is disabled:
sudo aa-status
Sample outputs:

apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/ntpd (31952)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

How do I turn on (enable) apparmor protection for mysql again?

Type the following commands:

sudo rm /etc/apparmor.d/disable/usr.sbin.mysqld
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld
sudo aa-status
Share this tutorial on:
{ 3 comments… add one }
  • rgk November 29, 2012, 6:52 am

    thank you for this article. Just one question from my ignorance, :-)
    In witch cases is usefull to disable apparmour for mysql ?
    thank again.

  • Xcaliburs May 4, 2015, 7:45 am

    Thank you for sharing, very useful. rgk: disabled it when performing LOAD DATA in relation to this error ‘ERROR 29 (HY000): File ‘file.txt’ not found (Errcode: 13)’ other solutions recommend adding it to /etc/apparmor.d/usr.sbin.mysqld while it works but it’s not efficient when you’re loading from a multiple locations because you will end up adding each locations. IMHO this is way better. Cheers.

    • Cedrik September 14, 2016, 8:57 am

      Thanks for your article, very useful.
      Now I can upload file in my blob bdd field :D

Security: Are you a robot or human?

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , , ,