AppArmor (short for Application Armor) is a Mandatory Access Control (MAC) system (used by Ubuntu Linux, its derivatives, and other Linux distributions), which allows an administrator to restrict a programs’ capabilities on a system. Restriction is handled using profiles, which can allow or deny a program access to system resources (such as network access, raw socket access, read/write/execute permissions, and more).
With AppArmor, an administrator can set a particular application (such as the MySQL database server profile) to one of two modes:
- Enforce – System enforces the rules and reports any violations in syslog. Further operation will not be permitted.
- Complain – System doesn’t enforce any rules, but will only log any violations.
SEE: Information security policy template download (Tech Pro Research)
By default, some profiles are set to Enforce and some to Complain. To find out what mode profiles are set to, issue the command:
The output (Figure A), will display the mode used by each profile.
My example machine doesn’t contain a LAMP server. Let’s say I install the LAMP server (with the command sudo apt-get install lamp-server^ -y) and, upon successful installation, I check to see which mode AppArmor has set MySQL to. A quick run of the sudo apparmor_status command now shows mysqld set to enforce mode.
What happens when you create a service on a server, wherein MySQL needs to access parts of the filesystem outside the norm? AppArmor won’t like this and will refuse to give MySQL access.
Changing the mode
Under normal circumstances, you won’t run into such a thing as the AppArmor MySQL profile is well configured. But that’s under normal circumstances. If you’re doing heavy internal development on a project that tends to color outside the lines, you might have to do one of two things:
- Alter the MySQL apparmor configuration.
- Set the MySQL profile to complain mode.
Depending on why you do this will dictate how you move forward. Let’s say you’re simply troubleshooting and need to understand what is happening with MySQL. First, you’ll look at the MySQL log files. If that tells you nothing, you might set the MySQL AppArmor profile to complain mode like so:
sudo aa-complain /usr/sbin/mysqld
At this point, AppArmor will respond that it has set the MySQL profile to complain mode (Figure B).
The important thing to remember is that once you finish troubleshooting the issue you need to return the profile back to enforcing mode. To do this, issue the command:
sudo aa-enforce /usr/sbin/mysqld
AppArmor will return MySQL to enforcing mode (Figure C).
Modifying the configuration
Here’s a better way of handling things. Say, for instance, you want to change the data directory for MySQL, but AppArmor prevents you from doing that. Instead of using /var/lib/mysql, you want everything in /data/mysql. You’ve already taken care of the MySQL configuration (changing the datadir entry in /etc/mysql/mysql.conf.d/my.cnf to /data/mysql and copying all the data from the original directory to the new location), and yet the server isn’t functioning correctly. You place the MySQL profile into complain mode and, viola!, it works. However, you cannot leave the profile set to complain mode (otherwise it’s a security issue). What do you do?
You add the new directory such that AppArmor is aware of it. How? Simple. Issue the command:
sudo nano /etc/apparmor.d/local/usr.sbin.mysqld
Paste the following lines into that empty file:
Note: rwk is read, write, and lock permissions.
Save and close that file. Restart AppArmor with the command:
sudo systemctl restart apparmor
Make sure the MySQL profile is set to enforcing, and everything should now work as expected.
Not for the faint of heart
I do not recommend working with AppArmor for the faint of heart. You really need to understand what you’re doing before you dive into this–or at least understand how to move profiles back and forth between enforcing and complaining mode. Either way, make sure to read the AppArmor man page (with the command man apparmor) before undertaking any action.