| Tutorial details | |
|---|---|
| Difficulty level | Intermediate |
| Root privileges | Yes |
| Requirements | Ubuntu / Suse Linux |
| Est. reading time | 2 minutes |
nixCraft: Privacy First, Reader Supported
- nixCraft is a one-person operation. I create all the content myself, with no help from AI or ML. I keep the content accurate and up-to-date.
- Your privacy is my top priority. I don’t track you, show you ads, or spam you with emails. Just pure content in the true spirit of Linux and FLOSS.
- Fast and clean browsing experience. nixCraft is designed to be fast and easy to use. You won’t have to deal with pop-ups, ads, cookie banners, or other distractions.
- Support independent content creators. nixCraft is a labor of love, and itβs only possible thanks to the support of our readers. If you enjoy the content, please support us on Patreon or share this page on social media or your blog. Every bit helps.
$ sudo apparmor_status
OR
$ sudo aa-status
Sample outputs:
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/mysqld
/usr/sbin/ntpd
/usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/mysqld (27816)
/usr/sbin/ntpd (31952)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
You can also type the following command to see the list of the profiles currently loaded using /sys/kernel/security/apparmor/profiles file:
$ cat /sys/kernel/security/apparmor/profiles
Sample outputs:
/sys/kernel/security/apparmor/profiles /usr/sbin/mysqld (enforce) /usr/sbin/tcpdump (enforce) /usr/sbin/ntpd (enforce) /usr/lib/connman/scripts/dhclient-script (enforce) /usr/lib/NetworkManager/nm-dhcp-client.action (enforce) /sbin/dhclient (enforce)
All apparmor profiles are traditionally stored in files in /etc/apparmor.d/ directory under varous filenames.
Commands to disable one profile
The syntax is:
sudo ln -s /etc/apparmor.d/{profile.name-here} /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/{profile.name-name-here}
To disable a profile called mysql i.e. disable apparmore protection for mysql server, enter:
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
Verify that mysqld protection is disabled:
sudo aa-status
Sample outputs:
apparmor module is loaded. 5 profiles are loaded. 5 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/sbin/ntpd /usr/sbin/tcpdump 0 profiles are in complain mode. 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/ntpd (31952) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
How do I turn on (enable) apparmor protection for mysql again?
Type the following commands:
sudo rm /etc/apparmor.d/disable/usr.sbin.mysqld sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld sudo aa-status
![[ERROR] /usr/local/libexec/mysqld: unknown variable…](https://www.cyberciti.biz/images/rp/13/54.jpg)
thank you for this article. Just one question from my ignorance, :-)
In witch cases is usefull to disable apparmour for mysql ?
thank again.
Thank you for sharing, very useful. rgk: disabled it when performing LOAD DATA in relation to this error ‘ERROR 29 (HY000): File ‘file.txt’ not found (Errcode: 13)’ other solutions recommend adding it to /etc/apparmor.d/usr.sbin.mysqld while it works but it’s not efficient when you’re loading from a multiple locations because you will end up adding each locations. IMHO this is way better. Cheers.
Thanks for your article, very useful.
Now I can upload file in my blob bdd field :D
This article was super helpful! Thank you for putting it together!