AppArmor (“Application Armor”) is a security module for the Linux kernel and integrated into both kernel and Ubuntu Linux. How do I disable AppArmor protection for mysql profile / service under Ubuntu or Novell Suse Enterprise Linux?

Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements Ubuntu / Suse Linux
Est. reading time N/A
Use the apparmor_status or aa-status command to see various information about the current AppArmor policy. Type the following command as root user or use it via sudo command:

$ sudo apparmor_status

OR

$ sudo aa-status

Sample outputs:

apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/mysqld (27816) 
   /usr/sbin/ntpd (31952) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

You can also type the following command to see the list of the profiles currently loaded using /sys/kernel/security/apparmor/profiles file:
$ cat /sys/kernel/security/apparmor/profiles
Sample outputs:

/sys/kernel/security/apparmor/profiles
/usr/sbin/mysqld (enforce)
/usr/sbin/tcpdump (enforce)
/usr/sbin/ntpd (enforce)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
/sbin/dhclient (enforce)

All apparmor profiles are traditionally stored in files in /etc/apparmor.d/ directory under varous filenames.

Commands to disable one profile

The syntax is:

sudo ln -s /etc/apparmor.d/{profile.name-here} /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/{profile.name-name-here}

To disable a profile called mysql i.e. disable apparmore protection for mysql server, enter:

sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld

Verify that mysqld protection is disabled:
sudo aa-status
Sample outputs:

apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/ntpd (31952) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

How do I turn on (enable) apparmor protection for mysql again?

Type the following commands:

sudo rm /etc/apparmor.d/disable/usr.sbin.mysqld
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld
sudo aa-status

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • rgk Nov 29, 2012 @ 6:52

    thank you for this article. Just one question from my ignorance, :-)
    In witch cases is usefull to disable apparmour for mysql ?
    thank again.

  • Xcaliburs May 4, 2015 @ 7:45

    Thank you for sharing, very useful. rgk: disabled it when performing LOAD DATA in relation to this error ‘ERROR 29 (HY000): File ‘file.txt’ not found (Errcode: 13)’ other solutions recommend adding it to /etc/apparmor.d/usr.sbin.mysqld while it works but it’s not efficient when you’re loading from a multiple locations because you will end up adding each locations. IMHO this is way better. Cheers.

    • Cedrik Sep 14, 2016 @ 8:57

      Thanks for your article, very useful.
      Now I can upload file in my blob bdd field :D

  • Winst Nov 13, 2016 @ 8:41

    This article was super helpful! Thank you for putting it together!

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum