This was relaxed in where the setuid is only tried if mariadbd --user is specified.

This isn't the case with systemd service files (which set the user) where
the CAP_IPC_LOCK capability gives the user the memlock rather than setuid.

So maybe it is safe to drop the mysqld_t setgid setuid from the policy for the common case of a user running systemd service which also works if they are using memlock.

While we are looking at the list, assuming sys_resource maps to CAP_SYS_RESOURCE that would only be raising the rlimit nofile, which is done in the systemd service.
in the server code this is capped anyway -

sys_nice - seems to be related to a innodb setpriority(PRIO_PROCESS, tid, -20), which isn't fatal if it doesn't succeed. no other CAP_SYS_NICE are used.
Maybe we should have instead. Advice welcome.

allow mysqld_t self:shm create_shm_perms - not required in 10.5+ - shm no longer used for large pages - anon mmap is used.

rw_fifo_file_perms - one test case created a fifo - mysql-test/main/log_errchk.test, the server has some code to handle if log files externally created are fifos, but it doesn't create them itself.
galera code mentions fifo's a lot, however its an internal structure. Script mentios fifos, however this
appears to just be using pv to rate limit. is probably needed too.

I see probably covers

On Fri, Mar 12, 2021 at 10:14 PM Sergei Golubchik <> wrote:
Hi, Lukas!

> I found that setuid/setgid is used inside mysqld_safe_helper
> (mariadbd-safe-helper).
> Are there any other cases when MariaDB uses these functions?

Yes, in the server. If the server is started with --memlock it does


to prevent itself from being swapped. This needs root, and the server
uses setuid/setgid to drop root privileges after mlockall.

VP of MariaDB Server Engineering

Mailing list:
Post to     :
Unsubscribe :
More help   :