Tutorial details | |
---|---|
Difficulty | Intermediate (rss) |
Root privileges | Yes |
Requirements | Ubuntu / Suse Linux |
Time | N/A |
$ sudo apparmor_status
OR
$ sudo aa-status
Sample outputs:
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/mysqld
/usr/sbin/ntpd
/usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/mysqld (27816)
/usr/sbin/ntpd (31952)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
You can also type the following command to see the list of the profiles currently loaded using /sys/kernel/security/apparmor/profiles file:
$ cat /sys/kernel/security/apparmor/profiles
Sample outputs:
/sys/kernel/security/apparmor/profiles /usr/sbin/mysqld (enforce) /usr/sbin/tcpdump (enforce) /usr/sbin/ntpd (enforce) /usr/lib/connman/scripts/dhclient-script (enforce) /usr/lib/NetworkManager/nm-dhcp-client.action (enforce) /sbin/dhclient (enforce)
All apparmor profiles are traditionally stored in files in /etc/apparmor.d/ directory under varous filenames.
Commands to disable one profile
The syntax is:
sudo ln -s /etc/apparmor.d/{profile.name-here} /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/{profile.name-name-here}
To disable a profile called mysql i.e. disable apparmore protection for mysql server, enter:
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
Verify that mysqld protection is disabled:
sudo aa-status
Sample outputs:
apparmor module is loaded. 5 profiles are loaded. 5 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/sbin/ntpd /usr/sbin/tcpdump 0 profiles are in complain mode. 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/ntpd (31952) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
How do I turn on (enable) apparmor protection for mysql again?
Type the following commands:
sudo rm /etc/apparmor.d/disable/usr.sbin.mysqld sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld sudo aa-status
🐧 4 comments so far... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
thank you for this article. Just one question from my ignorance, :-)
In witch cases is usefull to disable apparmour for mysql ?
thank again.
Thank you for sharing, very useful. rgk: disabled it when performing LOAD DATA in relation to this error ‘ERROR 29 (HY000): File ‘file.txt’ not found (Errcode: 13)’ other solutions recommend adding it to /etc/apparmor.d/usr.sbin.mysqld while it works but it’s not efficient when you’re loading from a multiple locations because you will end up adding each locations. IMHO this is way better. Cheers.
Thanks for your article, very useful.
Now I can upload file in my blob bdd field :D
This article was super helpful! Thank you for putting it together!