Altering an Applications AppArmor Profile on Ubuntu Bionic Beaver
Ubuntu uses a tool called AppArmor to control how programs, processes etc access system resources. It’s part of the LSM (Linux Security Module) of which SELinux (Security Enhanced Linux), TOMOYO, and Smack.
It provides Provides Mandatory Access Control (MAC)
• Allows administrators to associate a security profile to a program which restricts its capabilities
• Is considered easier (by some but not all) to use than SELinux
• Is considered filesystem-neutral (no security labels required).
It supplements the traditional UNIX Discretionary Access Control (DAC) model by providing Mandatory Access Control (MAC).
Ok, it provides several tools that one can use to modify an application or process’s abilities. In this case I will use a case study of the mysql application. Here we will move the folder /var/lib/mysql to another location and update the mysql profile to give mysql access to that location which of was not previously in its profile.
Please backup any data you have.
We will begin by moving that file to another location /mysql, that I created with the command sudo mkdir /mysql and then do the move with the command sudo cp -r --preserve /var/lib/mysql /mysql . With this we have a copy in the new location with the same permissions, ownership etc as the original.
We will now modify the line datadir = /var/lib/mysql in the mysql configuration file /etc/mysql/mysql.conf.d/mysql.cnf and add the new location we created earlier, datadir = /mysql/mysql . Now we modify two lines in the /etc/apparmor.d/usr.sbin.mysqld file.
We we have
# Allow data dir access
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,
we change it to:
# Allow data dir access
/mysql/mysql/ r,
/mysql/mysql/** rwk,
Now go restart mysql: sudo systemctl restart mysql , of course we get an error as AppArmor denies mysql access to read or write to that new location.
We will now use the tool aa-genprof to update the preexisting mysql profile. Open two terminals and run the following commands in each of them respectively:
sudo aa-genprof /usr/bin/mysql
sudo systemctl restart mysqlwhen we run the aa-genprof command it will ask us to now run the other command, in this case we just attempt to start the mysql server again and let it complain. AppArmor will present us with various options as it scans our /var/log/syslog files for messages related to mysql. It will then present us with these messages and ask if we want to allow mysql carry out the operations mentioned in the messages. We will see some like this:
[(S)can system log for AppArmor events] / (F)inish
...
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inishat the bottom of each of these mesasges. Read them carefully and click the letter shown on your keyboard to instruct AppArmor to act accordingly. At the end you will get another message to save after it has finished scanning your logs. Accept this too. Restart mysql with the command sudo systemctl restart mysql . Now it should start running if all went well.
