Ubuntu Linux: Disable Apparmor For Specific Profile / Service Such As Mysqld Server

Cpanel/Whm License $3/mo Plesk License $10/mo Cloudlinux License $5/mo

AppArmor (“Application Armor”) is a security module for the Linux kernel and integrated into both kernel and Ubuntu Linux. How do I disable AppArmor protection for mysql profile / service under Ubuntu or Novell Suse Enterprise Linux?

Use the apparmor_status or aa-status command to see various information about the current AppArmor policy. Type the following command as root user or use it via sudo command:

$ sudo apparmor_status

OR

$ sudo aa-status

Sample outputs:

apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/mysqld (27816) 
   /usr/sbin/ntpd (31952) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

You can also type the following command to see the list of the profiles currently loaded using /sys/kernel/security/apparmor/profiles file:
$ cat /sys/kernel/security/apparmor/profiles
Sample outputs:

/sys/kernel/security/apparmor/profiles
/usr/sbin/mysqld (enforce)
/usr/sbin/tcpdump (enforce)
/usr/sbin/ntpd (enforce)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
/sbin/dhclient (enforce)

All apparmor profiles are traditionally stored in files in /etc/apparmor.d/ directory under varous filenames.

Commands to disable one profile

The syntax is:

sudo ln -s /etc/apparmor.d/{profile.name-here} /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/{profile.name-name-here}

To disable a profile called mysql i.e. disable apparmore protection for mysql server, enter:

sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld

Verify that mysqld protection is disabled:
sudo aa-status
Sample outputs:

apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/ntpd (31952) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

How do I turn on (enable) apparmor protection for mysql again?

Type the following commands:

sudo rm /etc/apparmor.d/disable/usr.sbin.mysqld
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld
sudo aa-status

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Related posts

Zuckerberg to Study Crypto in Quest to Fix Facebook

SXI ADMIN

Zooko Wilcox Envisions ‘Ambitious’ Changes for Zcash Cryptocurrency

SXI ADMIN

ZombieChain Comes Alive: Can Ethereum Sidechains Save the Dapps?

SXI ADMIN

ZoKrates Seeks to Bring Best of Zcash to Ethereum with Devcon Debut

SXI ADMIN

Zk-Starks? New Take on Zcash Tech Could Power Truly Private Blockchains

SXI ADMIN

Zk-Snarks Everywhere: Ethereum Privacy Tech Hits Tipping Point

SXI ADMIN

ZipZap to Offer Cash-for-Bitcoin Service at 28,000 UK Locations

SXI ADMIN

ZipZap Resumes Cash-to-Bitcoin Services for UK Shoppers

SXI ADMIN

ZipZap Raises $1.1 Million to Grow Global Bitcoin Payments Network

SXI ADMIN

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More