帮酷LOGO
0 0 评论
文章标签:apparmor  Ubuntu  spec  mysqld  Profile  Server  disable-app  服务  


ppArmor ("應用程序armor")是Linux內核的安全模塊,並且集成到內核和Ubuntu Linux中, 我如何在Ubuntu或Novell Suse Enterprise Linux下禁用mysql配置文件/服務的AppArmor保護?


使用apparmor_statusaa status命令查看有關當前AppArmor策略的各種信息 。 鍵入以下命令作為root用戶或通過sudo命令使用,

$ sudo apparmor_status

或者

$ sudoaa狀態

示例輸出:

apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode./sbin/dhclient/usr/lib/NetworkManager/nm-dhcp-client. action/usr/lib/connman/scripts/dhclient-script/usr/sbin/mysqld/usr/sbin/ntpd/usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode./usr/sbin/mysqld (27816) /usr/sbin/ntpd (31952) 0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

還可以鍵入以下命令以查看當前使用 /sys/kernel/security/apparmor/profiles文件:載入的概要文件列表,
$ cat/sys/kernel/security/apparmor/profiles
示例輸出:

/sys/kernel/security/apparmor/profiles
/usr/sbin/mysqld (enforce)
/usr/sbin/tcpdump (enforce)
/usr/sbin/ntpd (enforce)
/usr/lib/connman/scripts/dhclient-script (enforce)
/usr/lib/NetworkManager/nm-dhcp-client.action (enforce)
/sbin/dhclient (enforce)

apparmor配置文件通常存儲在文件in/etc/apparmor.d/目錄下varous文件名下。

禁用一個配置文件的命令

語法為:

sudoln-s/etc/apparmor.d/{profile.name-here}/etc/apparmor.d/disable/sudo apparmor_parser -R/etc/apparmor.d/{profile.name-name-here}

sudo ln -s/etc/apparmor. d/{profile.name-here}/etc/apparmor. d/disable/sudo apparmor_parser -R/etc/apparmor. d/{profile.name-name-here}

要禁用其他稱為mysql的配置文件,請禁用mysql伺服器的apparmore保護,輸入,

sudoln-s/etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/sudo apparmor_parser -R/etc/apparmor.d/usr.sbin.mysqld

sudo ln -s/etc/apparmor. d/usr.sbin.mysqld/etc/apparmor. d/disable/sudo apparmor_parser -R/etc/apparmor. d/usr.sbin.mysqld

驗證是否禁用了mysqld保護:
sudo aa-status
示例輸出:

apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode./sbin/dhclient/usr/lib/NetworkManager/nm-dhcp-client. action/usr/lib/connman/scripts/dhclient-script/usr/sbin/ntpd/usr/sbin/tcpdump
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode./usr/sbin/ntpd (31952) 0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

如何為mysql啟用(enable)apparmor保護?

鍵入以下命令:

sudorm/etc/apparmor.d/disable/usr.sbin.mysqldsudo apparmor_parser -r/etc/apparmor.d/usr.sbin.mysqldsudo aa-status

sudo rm/etc/apparmor. d/disable/usr.sbin.mysqld sudo apparmor_parser -r/etc/apparmor. d/usr.sbin.mysqld sudo aa-status




文章标签:Server  服务  Ubuntu  spec  Profile  apparmor  disable-app  mysqld  

Copyright © 2011 HelpLib All rights reserved.    知识分享协议 京ICP备05059198号-3  |  如果智培  |  酷兔英语