Skip to Content

How to disable AppArmor?

What is AppArmor?

AppArmor is an important security feature that locks down vulnerable processes, restricting the damage security vulnerabilities these processes can cause. AppArmor proactively protects the operating system and applications from external or internal threats and even zero-day attacks by enforcing a specific rule set on a per-application basis.

Sometimes MySQL will not start if AppArmor is enabled.

● mysql.service - MySQL Community Server
 
     Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
 
     Active: failed (Result: exit-code) since Wed 2022-05-04 08:13:32 CEST; 3min 21s ago
 
    Process: 1937 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
 
    Process: 1945 ExecStart=/usr/sbin/mysqld (code=exited, status=1/FAILURE)
 
   Main PID: 1945 (code=exited, status=1/FAILURE)
 
     Status: "Server startup in progress"
 
      Error: 9 (Bad file descriptor)
 
May 04 08:13:32 gateway systemd[1]: mysql.service: Scheduled restart job, restart counter is at 5.
 
May 04 08:13:32 gateway systemd[1]: Stopped MySQL Community Server.
 
May 04 08:13:32 gateway systemd[1]: mysql.service: Start request repeated too quickly.
 
May 04 08:13:32 gateway systemd[1]: mysql.service: Failed with result 'exit-code'.
 
May 04 08:13:32 gateway systemd[1]: Failed to start MySQL Community Server.
You can see more error messages from dmesg
[ 1173.479970] audit: type=1400 audit(1651644810.452:104): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1908 comm="mysqld" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
 
[ 1173.479975] audit: type=1400 audit(1651644810.452:105): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1908 comm="mysqld" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
 
[ 1173.479978] audit: type=1400 audit(1651644810.452:106): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1908 comm="mysqld" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
 
[ 1173.479981] audit: type=1400 audit(1651644810.452:107): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1908 comm="mysqld" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
 
[ 1173.479984] audit: type=1400 audit(1651644810.452:108): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1908 comm="mysqld" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
 
[ 1173.479987] audit: type=1400 audit(1651644810.452:109): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1908 comm="mysqld" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
 
[ 1173.886489] audit: type=1400 audit(1651644810.856:110): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1918 comm="mysqld" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
 
[ 1173.886498] audit: type=1400 audit(1651644810.856:111): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1918 comm="mysqld" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
 
[ 1173.886504] audit: type=1400 audit(1651644810.856:112): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1918 comm="mysqld" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
 
[ 1173.886508] audit: type=1400 audit(1651644810.856:113): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/mnt/HC_Volume_13321786/log/mysql/error.log" pid=1918 comm="mysqld"
requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
You can check the current status of AppArmor on the server by running the following command

root@VirtualBox:~# systemctl status apparmor

How to disable AppArmor for a particular process?

To disable AppArmor only for a particular process run the following command

root@VirtualBox:~# ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/

root@VirtualBox:~# apparmor_parser -R /etc/apparmor.d/disable/profile.name

For example to disable AppArmor for MySQL service

root@VirtualBox:~# ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/

root@VirtualBox:~# apparmor_parser -R /etc/apparmor.d/disable/usr.sbin.mysqld

To stop AppArmor

root@VirtualBox:~# systemctl stop apparmor

To disable AppArmor completely execute:

root@VirtualBox:~# systemctl disable apparmor

After disabling AppArmor you have to reboot your system