Ubuntu Linux:为特定配置文件/服务(例如Mysqld Server)禁用Apparmor
时间:2020-01-09 10:45:36 来源:igfitidea点击:
AppArmor(Application Armor)是Linux内核的安全模块,已集成到内核和Ubuntu Linux中。
如何在Ubuntu或者Novell Suse Enterprise Linux下为MySQL配置文件/服务禁用AppArmor保护?
使用apparmor_status或者aa-status命令查看有关当前AppArmor策略的各种信息。
以root用户身份执行以下命令,或者通过sudo命令使用它:
$sudo apparmor_status
或者
$sudo aa-status
输出示例:
apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/sbin/mysqld /usr/sbin/ntpd /usr/sbin/tcpdump 0 profiles are in complain mode. 2 processes have profiles defined. 2 processes are in enforce mode. /usr/sbin/mysqld (27816) /usr/sbin/ntpd (31952) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
您也可以执行以下命令来查看当前使用/sys/kernel/security/apparmor/profiles文件加载的配置文件列表:
$ cat /sys/kernel/security/apparmor/profiles
输出示例:
/sys/kernel/security/apparmor/profiles /usr/sbin/mysqld (enforce) /usr/sbin/tcpdump (enforce) /usr/sbin/ntpd (enforce) /usr/lib/connman/scripts/dhclient-script (enforce) /usr/lib/NetworkManager/nm-dhcp-client.action (enforce) /sbin/dhclient (enforce)
传统上,所有apparmor配置文件都存储在/etc/apparmor.d/目录下的各种文件名下的文件中。
禁用一个配置文件的命令
语法为:
sudo ln -s /etc/apparmor.d/{profile.name-here} /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/{profile.name-name-here}
要禁用名为mysql的配置文件,即禁用对mysql服务器的设备保护,请执行:
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
验证是否禁用了mysqld保护:
sudo aa-status
输出示例:
apparmor module is loaded. 5 profiles are loaded. 5 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/sbin/ntpd /usr/sbin/tcpdump 0 profiles are in complain mode. 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/ntpd (31952) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
如何再次为mysql打开(启用)apparmor保护?
执行以下命令:
sudo rm /etc/apparmor.d/disable/usr.sbin.mysqld sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld sudo aa-status
