我想我有一个旧的个人资料(复制如下).
我不知道在哪里寻找正确的配置文件.
是否有标准apparmor配置文件的权威来源 – 或者它是否在mysql源代码中?
是否有更新配置文件的标准方法或我必须手动弄清楚它应该是什么?
例如
sudo apparmor get-updated-profile-for MysqL
MysqL 5.7 / Ubuntu 16.04
目前:
/etc/apparmor.d$cat usr.sbin.MysqLd # vim:Syntax=apparmor # Last Modified: Tue Jun 19 17:37:30 2007 #include <tunables/global> /usr/sbin/MysqLd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/user-tmp> #include <abstractions/MysqL> #include <abstractions/winbind> capability dac_override,capability sys_resource,capability setgid,capability setuid,network tcp,/etc/hosts.allow r,/etc/hosts.deny r,/etc/MysqL/*.pem r,/etc/MysqL/conf.d/ r,/etc/MysqL/conf.d/* r,/etc/MysqL/*.cnf r,/usr/lib/MysqL/plugin/ r,/usr/lib/MysqL/plugin/*.so* mr,/usr/sbin/MysqLd mr,/usr/share/MysqL/** r,/var/log/MysqL.log rw,/var/log/MysqL.err rw,/var/lib/MysqL/ r,/var/lib/MysqL/** rwk,/var/log/MysqL/ r,/var/log/MysqL/* rw,/var/run/MysqLd/MysqLd.pid rw,/var/run/MysqLd/MysqLd.sock w,/var/run/MysqLd/MysqLd.sock.lock rw,/run/MysqLd/MysqLd.pid rw,/run/MysqLd/MysqLd.sock w,/run/MysqLd/MysqLd.sock.lock rw,/sys/devices/system/cpu/ r,# Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.MysqLd> }
好的 – 所以启动一个干净的ubuntu服务器并安装MysqL似乎是获得’正确’配置文件的合理方法.目前如下:
# vim:Syntax=apparmor # Last Modified: Tue Feb 09 15:28:30 2016 #include <tunables/global> /usr/sbin/MysqLd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/user-tmp> #include <abstractions/MysqL> #include <abstractions/winbind> # Allow system resource access /sys/devices/system/cpu/ r,capability dac_override,# Allow network access network tcp,# Allow config access /etc/MysqL/** r,# Allow pid,socket,socket lock file access /var/run/MysqLd/MysqLd.pid rw,/var/run/MysqLd/MysqLd.sock rw,/run/MysqLd/MysqLd.sock rw,# Allow execution of server binary /usr/sbin/MysqLd mr,/usr/sbin/MysqLd-debug mr,# Allow plugin access /usr/lib/MysqL/plugin/ r,# Allow error msg and charset access /usr/share/MysqL/ r,# Allow data dir access /var/lib/MysqL/ r,# Allow data files dir access /var/lib/MysqL-files/ r,/var/lib/MysqL-files/** rwk,# Allow keyring dir access /var/lib/MysqL-keyring/ r,/var/lib/MysqL-keyring/** rwk,# Allow log file access /var/log/MysqL.err rw,/var/log/MysqL/** rw,# Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.MysqLd> }
