AppArmor

[1]:

AppArmor is a Linux Security Module implementation of name-based access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.

AppArmor (AA) lijkt standaard-onderdeel te zijn van Linux Mint. Broertje van SElinux?

Enforce- & Complain-mode

[2]:

AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.

Tijdelijk uitzetten?

In okt. 2019 wilde ik AA uitzetten, omdat het MySQL-exports verhinderde.

Ik geloof dat dat niet lukt:

sudo systemctl stop apparmor
sudo systemctl disable apparmor

Als ik aansluitend sudo aa-status geef, lijkt-ie nog steeds aan te staan.

MySQL & Complain-mode?

Het lijkt al gelukt te zijn:

apparmor module is loaded.
14 profiles are loaded.
13 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ippusbxd
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
1 profiles are in complain mode.
   /usr/sbin/mysqld
6 processes have profiles defined.
5 processes are in enforce mode.
   /sbin/dhclient (1425) 
   /sbin/dhclient (2265) 
   /usr/sbin/cups-browsed (1072) 
   /usr/sbin/cupsd (1071) 
   /usr/sbin/ntpd (1590) 
1 processes are in complain mode.
   /usr/sbin/mysqld (1207) 
0 processes are unconfined but have a profile defined.