Skip to content
logo
Percona Server for MySQL
Working with AppArmor
Initializing search
    percona/psmysql-docs
    percona/psmysql-docs
    • Home
      • The Percona XtraDB storage engine
      • List of features available in Percona Server for MySQL releases
      • Percona Server for MySQL feature comparison
      • Changed in Percona Server 8.0
      • Understand version numbers
      • Install Percona Server for MySQL
        • Install using APT repository
        • Files in DEB package
        • Build APT packages
        • Install from downloaded DEB packages
        • Apt pinning
        • Run Percona Server for MySQL
        • Uninstall
        • Install using a RPM repository
        • Files in RPM package
        • Install from downloaded RPM packages
        • Run Percona Server for MySQL
        • Uninstall
        • Install with binary tarballs
        • Binary tarballs available
        • Install Percona Server for MySQL from a source tarball
        • Compile Percona Server for MySQL 8.0 from source
      • Post-installation
      • Percona Server for MySQL in-place upgrading guide: from 5.7 to 8.0
      • Upgrade using the Percona repositories
      • Upgrade from systems that use the MyRocks or TokuDB storage engine and partitioned tables
      • Upgrade using Standalone Packages
      • Downgrade Percona Server for MySQL
      • Running Percona Server for MySQL in a Docker Container
      • Docker environment variables
      • Improved InnoDB I/O scalability
      • Adaptive network buffers
      • Multiple page asynchronous I/O requests
      • Thread pool
      • XtraDB performance improvements for I/O-bound highly-concurrent workloads
      • Prefix index queries optimization
      • Limit the estimation of records in a Query
      • Jemalloc memory allocation profiling
      • The ProcFS plugin
      • Binary logs and replication improvements
      • Compressed columns with dictionaries
      • Extended SELECT INTO OUTFILE/DUMPFILE
      • Extended SET VAR optimizer hint
      • Improved MEMORY storage engine
      • Suppress warning messages
      • Limiting the disk space used by binary log files
      • Support for PROXY protocol
      • SEQUENCE_TABLE(n) function
      • Slow query log rotation and expiration
      • Trigger updates
      • Extended mysqlbinlog
      • Extended mysqldump
      • InnoDB full-text search improvements
      • Too many connections warning
      • Handle corrupted tables
      • Percona Toolkit UDFs
      • Kill idle transactions
      • XtraDB changed page tracking
      • Enforcing storage engine
      • Expanded fast index creation
      • Backup locks
      • Audit log plugin
      • Start transaction with consistent snapshot
      • Extended SHOW GRANTS
      • Utility user
      • Working with SELinux
      • Working with AppArmor
        • Install the utilities used to control AppArmor
        • Check the current status
        • Switch a profile to complain mode
        • Switch a profile to enforce mode
        • Disable one profile
        • Reload all profiles
        • Reload one profile
        • Disable AppArmor
        • Add the mysqld profile
        • Edit the mysqld profile
        • Configure a custom data directory location
        • Set up a custom log location
        • Set secure_file_priv directory location
      • PAM authentication plugin
      • Server variables
      • SSL improvements
      • Data masking
        • Using LDAP authentication plugins
        • LDAP authentication plugin system variables
        • Data at Rest Encryption
        • Use the keyring component or keyring plugin
          • Using the Key Management Interoperability Protocol (KMIP)
          • Use the Amazon Key Management Service (AWS KMS)
          • FIDO authentication plugin
        • Encryption functions
        • Encrypt File-Per-Table Tablespace
        • Encrypt schema or general tablespace
        • Encrypt system tablespace
        • Encrypt temporary files
        • Encrypt Binary Log Files and Relay Log Files
        • Encrypting the Redo Log data
        • Encrypt the undo tablespace
        • Rotate the master key
        • Advanced encryption key rotation
        • Encrypt doublewrite buffers
        • Verify the encryption for tables, tablespaces, and schemas
      • User statistics
      • Slow query log
      • Extended show engine InnoDB status
      • Show storage engines
      • Process list
      • Misc. INFORMATION_SCHEMA tables
      • Thread based profiling
      • InnoDB page fragmentation counters
      • Stacktrace
      • Libcoredumper
      • Manage group replication flow control
      • Group replication system variables
      • Percona MyRocks introduction
      • Percona MyRocks installation guide
      • Updated supported features
      • MyRocks limitations
      • Differences between Percona MyRocks and Facebook MyRocks
      • MyRocks Information Schema tables
      • MyRocks server variables
      • MyRocks status variables
      • Gap locks detection
      • Data loading
      • Installing and configuring Percona Server for MySQL with ZenFS support
      • TokuDB introduction
      • TokuDB installation
      • Use TokuDB
      • Fast updates with TokuDB
      • TokuDB files and file types
      • TokuDB file management
      • TokuDB background ANALYZE TABLE
      • TokuDB variables
      • TokuDB status variables
      • TokuDB fractal tree indexing
      • TokuDB troubleshooting
      • TokuDB Performance Schema integration
      • Frequently asked questions
      • Migrate and removing the TokuDB storage engine
      • Percona TokuBackup
      • Release notes index
      • Percona Server for MySQL 8.0.32-24 (2023-03-20)
      • Percona Server for MySQL 8.0.31-23 (2023-02-09)
      • Percona Server for MySQL 8.0.30-22 Update (2022-11-21)
      • Percona Server for MySQL 8.0.30-22 (2022-11-21)
      • Percona Server for MySQL 8.0.29-21 (2022-08-08)
      • Percona Server for MySQL 8.0.28-20 (2022-06-20)
      • Percona Server for MySQL 8.0.28-19 (2022-05-12)
      • Percona Server for MySQL 8.0.27-18 (2022-03-02)
      • Percona Server for MySQL 8.0.26-17 (2022-01-26)
      • Percona Server for MySQL 8.0.26-16 (2021-10-20)
      • Percona Server for MySQL 8.0.25-15 (2021-07-13)
      • Percona Server for MySQL 8.0.23-14 (2021-05-12)
      • Percona Server for MySQL 8.0.22-13 (2020-12-14)
      • Percona Server for MySQL 8.0.21-12 (2020-10-13)
      • Percona Server for MySQL 8.0.20-11 (2020-07-21)
      • Percona Server for MySQL 8.0.19-10 (2020-03-23)
      • Percona Server for MySQL 8.0.18-9
      • Percona Server for MySQL 8.0.17-8
      • Percona Server for MySQL 8.0.16-7
      • Percona Server for MySQL 8.0.15-6
      • Percona Server for MySQL 8.0.15-5
      • Percona Server for MySQL 8.0.14
      • Percona Server for MySQL 8.0.13-4
      • Percona Server for MySQL 8.0.13-3
      • Percona Server for MySQL 8.0.12-2rc1
      • List of variables introduced in Percona Server for MySQL 8.0
      • Development of Percona Server for MySQL
      • Trademark policy
      • Index of INFORMATION_SCHEMA tables
      • Frequently asked questions
      • Copyright and licensing information
      • Glossary

    • Install the utilities used to control AppArmor
    • Check the current status
    • Switch a profile to complain mode
    • Switch a profile to enforce mode
    • Disable one profile
    • Reload all profiles
    • Reload one profile
    • Disable AppArmor
    • Add the mysqld profile
    • Edit the mysqld profile
    • Configure a custom data directory location
    • Set up a custom log location
    • Set secure_file_priv directory location

    Working with AppArmor¶

    The operating system has a Discretionary Access Controls (DAC) system. AppArmor supplements the DAC with a Mandatory Access Control (MAC) system. AppArmor is the default security module for Ubuntu or Debian systems and uses profiles to define how programs access resources.

    AppArmor is path-based and restricts processes by using profiles. Each profile contains a set of policy rules. Some applications may install their profile along with the application. If an installation does not also install a profile, then that application is not part of the AppArmor subsystem. You can also create profiles since they are simple text files stored in the /etc/apparmor.d directory.

    A profile is in one of the following modes:

    • Enforce - the default setting, applications are prevented from taking actions restricted by the profile rules.

    • Complain - applications are allowed to take restricted actions, and the actions are logged.

    • Disabled - applications are allowed to take restricted actions, and the actions are not logged.

    You can mix enforce profiles and complain profiles in your server.

    Install the utilities used to control AppArmor¶

    Install the apparmor-utils package to work with profiles. Use these utilities to create, update, enforce, switch to complain mode, and disable profiles, as needed:

    $ sudo apt install apparmor-utils
    
    Expected output
    Reading package lists... Done
    Building dependency tree
    ...
    The following additional packages will be installed:
        python3-apparmor python3-libapparmor
    ...
    

    Check the current status¶

    As root or using sudo, you can check the AppArmor status:

    $ sudo aa-status
    
    Expected output
    apparmor module is loaded.
    34 profiles are loaded.
    32 profiles in enforce mode.
    ...
        /usr/sbin/mysqld
    ...
    2 profiles in complain mode.
    ...
    3 profiles have profiles defined.
    ...
    0 processes are in complain mode.
    0 processes are unconfined but have a profile defined.
    

    Switch a profile to complain mode¶

    Switch a profile to complain mode when the program is in your path with this command:

    $ sudo aa-complain <program>
    

    If needed, specify the program’s path in the command:

    $ sudo aa-complain /sbin/<program>
    

    If the profile is not stored in /etc/apparmor.d/, use the following command:

    $ sudo aa-complain /path/to/profiles/<program>
    

    Switch a profile to enforce mode¶

    Switch a profile to the enforce mode when the program is in your path with this command:

    $ sudo aa-enforce <program>
    

    If needed, specify the program’s path in the command:

    $ sudo aa-enforce /sbin/<program>
    

    If the profile is not stored in /etc/apparmor.d/, use the following command:

    $ sudo aa-enforce /path/to/profile
    

    Disable one profile¶

    You can disable a profile but it is recommended to Switch a Profile to Complain mode.

    Use either of the following methods to disable a profile:

    $ sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
    $ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
    

    or

    $ aa-disable /etc/apparmor.d/usr.sbin.mysqld
    

    Reload all profiles¶

    Run either of the following commands to reload all profiles:

    $ sudo service apparmor reload
    

    or

    $ sudo systemctl reload apparmor.service
    

    Reload one profile¶

    To reload one profile, run the following:

    $ sudo apparmor_parser -r /etc/apparmor.d/<profile>
    

    For some changes to take effect, you may need to restart the program.

    Disable AppArmor¶

    AppArmor provides security and disabling the system is not recommened. If AppArmor must be disabled, run the following commands:

    1. Check the status.

      $ sudo apparmor_status
      
    2. Stop and disable AppArmor.

      $ sudo systemctl stop apparmor
      $ sudo systemctl disable apparmor
      

    Add the mysqld profile¶

    Add the mysqld profile with the following procedure:

    1. Download the current version of the AppArmor:

      $ wget https://raw.githubusercontent.com/mysql/mysql-server/8.0/packaging/deb-in/extra/apparmor-profile
      

      The expected output:

      ...
      Saving to 'apparamor-profile`
      ...
      
    2. Move the file to /etc/apparmor.d/usr.sbin.mysqld

      $ sudo mv apparmor-profile /etc/apparmor.d/usr.sbin.mysqld
      
    3. Create an empty file for editing:

      $ sudo touch /etc/apparmor.d/local/usr.sbin.mysqld
      
    4. Load the profile:

      $ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.mysqld
      
    5. Restart Percona Server for MySQL:

      $ sudo systemctl restart mysql
      
    6. Verify the profile status:

      $ sudo aa-status
      
      Expected output
      ...
      processes are in enforce mode
      ...
      /usr/sbin/mysqld (100840)
      ...
      

    Edit the mysqld profile¶

    Only edit /etc/apparmor.d/local/usr.sbin.mysql. We recommend that you Switch a Profile to Complain mode before editing the file. Edit the file in any text editor. When your work is done, Reload one profile and Switch a Profile to Enforce mode.

    Configure a custom data directory location¶

    You can change the data directory to a non-default location, like /var/lib/mysqlcustom. You should enable audit mode, to capture all of the actions, and edit the profile to allow access for the custom location.

    $ cat /etc/mysql/mysql.conf.d/mysqld.cnf
    
    Expected output
    #
    # The Percona Server 8.0 configuration file.
    #
    # For explanations see
    # https://dev.mysql.com/doc/mysql/en/server-system-variables.html
    
    [mysqld]
    pid-file    = /var/run/mysqld/mysqld.pid
    socket        = /var/run/mysqld/mysqld.sock
    *datadir    = /var/lib/mysqlcustom*
    log-error    = /var/log/mysql/error.log
    

    Enable audit mode for mysqld. In this mode, the security policy is enforced and all access is logged.

    $ aa-audit mysqld
    

    Restart Percona Server for MySQL.

    $ sudo systemctl mysql restart
    

    The restart fails because AppArmor has blocked access to the custom data directory location. To diagnose the issue, check the logs for the following:

    • ALLOWED - A log event when the profile is in complain mode and the action violates a policy.

    • DENIED - A log event when the profile is in enforce mode and the action is blocked.

    For example, the following log entries show DENIED:

    Expected output
    ...
    Dec 07 12:17:08 ubuntu-s-4vcpu-8gb-nyc1-01-aa-ps audit[16013]: AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/mysqld" name="/var/lib/mysqlcustom/binlog.index" pid=16013 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=111 ouid=111
    Dec 07 12:17:08 ubuntu-s-4vcpu-8gb-nyc1-01-aa-ps kernel: audit: type=1400 audit(1607343428.022:36): apparmor="DENIED" operation="mknod" profile="/usr/sbin/mysqld" name="/var/lib/mysqlcustom/mysqld_tmp_file_case_insensitive_test.lower-test" pid=16013 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=111 ouid=111
    ...
    

    Open /etc/apparmor.d/local/usr.sbin.mysqld in a text editor and edit the following entries in the Allow data dir access section.

    # Allow data dir access
    /var/lib/mysqlcustom/ r,
    /var/lib/mysqlcustom/** rwk,
    

    In etc/apparmor.d/local/usr.sbin.mysqld, comment out, using the # symbol, the current entries in the Allow data dir access section. This step is optional. If you skip this step, mysqld continues to access the default data directory location.

    Note

    Edit the local version of the file instead of the main profile. Separating the changes makes maintenance easier.

    Reload the profile:

    $ apparmor_parser -r -T /etc/apparmor.d/usr.sbin.mysqld
    

    Restart mysql:

    $ systemctl restart mysqld
    

    Set up a custom log location¶

    To move your logs to a custom location, you must edit the my.cnf configuration file and then edit the local profile to allow access:

    cat /etc/mysql/mysql.conf.d/mysqld.cnf
    
    Expected output
    #
    # The Percona Server 8.0 configuration file.
    #
    # For explanations see
    # https://dev.mysql.com/doc/mysql/en/server-system-variables.html
    
    [mysqld]
    pid-file    = /var/run/mysqld/mysqld.pid
    socket        = /var/run/mysqld/mysqld.sock
    datadir    = /var/lib/mysql
    log-error    = /*custom-log-dir*/mysql/error.log
    

    Verify the custom directory exists.

    $ ls -la /custom-log-dir/
    
    Expected output
    total 12
    drwxrwxrwx  3 root root 4096 Dec  7 13:09 .
    drwxr-xr-x 24 root root 4096 Dec  7 13:07 ..
    drwxrwxrwx  2 root root 4096 Dec  7 13:09 mysql
    

    Restart Percona Server.

    $ service mysql start
    
    Expected output
    Job for mysql.service failed because the control process exited with error code.
    See "systemctl status mysql.service" and "journalctl -xe" for details.
    
    $ journalctl -xe
    
    Expected output
    ...
    AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/mysqld" name="/custom-log-dir/mysql/error.log"
    ...
    

    The access has been denied by AppArmor. Edit the local profile in the Allow log file access section to allow access to the custom log location.

    $ cat /etc/apparmor.d/local/usr.sbin.mysqld
    
    Expected output
     # Site-specific additions and overrides for usr.sbin.mysqld..
     # For more details, please see /etc/apparmor.d/local/README.
    
     # Allow log file access
     /custom-log-dir/mysql/ r,
     /custom-log-dir/mysql/** rw,
    

    Reload the profile:

    $ apparmor_parser -r -T /etc/apparmor.d/usr.sbin.mysqld
    

    Restart Percona Server:

    $ systemctl restart mysqld
    

    Set secure_file_priv directory location¶

    By default, secure_file_priv points to the following location:

    mysql> mysqlshow variables like 'secure_file_priv';
    
    Expected output
    +------------------+-----------------------+
    | Variable_name    | Value                 |
    +------------------+-----------------------+
    | secure_file_priv | /var/lib/mysql-files/ |
    +------------------+-----------------------+
    

    To allow access to another location, in a text editor, open the local profile. Review the settings in the Allow data dir access section:

     # Allow data dir access
    /var/lib/mysql/ r,
    /var/lib/mysql/** rwk,
    

    Edit the local profile in a text editor to allow access to the custom location.

    $ cat /etc/apparmor.d/local/usr.sbin.mysqld
    
    Expected output
    # Site-specific additions and overrides for usr.sbin.mysqld..
    # For more details, please see /etc/apparmor.d/local/README.
    
    # Allow data dir access
    /var/lib/mysqlcustom/ r,
    /var/lib/mysqlcustom/** rwk,
    

    Reload the profile:

    $ apparmor_parser -r -T /etc/apparmor.d/usr.sbin.mysqld
    

    Restart Percona Server for MySQL:

    $ systemctl restart mysqld
    

    Contact us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.


    Last update: 2023-01-12
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better.