I'm looking into SELinux in Fedora's MariaDB package and I can see that we have two types in MariaDB that have setuid/setgid capability.

1st: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L70

2nd: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/mysql.te#L199

My question is, does mysqld_t need to have this capability?

I found that setuid/setgid is used inside mysqld_safe_helper (mariadbd-safe-helper).

Are there any other cases when MariaDB uses these functions?

Thank you for letting me know

Lukas
--