I ran some tests and found that xbstream and xbcrypt cannot access the mysql data directory when the apparmor/selinux policy is enforced. For example, if xbstream is used to stream an individual file from /var/lib/mysql, the access is denied and the syslogs display the errors:
I ran some tests and found that xbstream and xbcrypt cannot access the mysql data directory when the apparmor/selinux policy is enforced. For example, if xbstream is used to stream an individual file from /var/lib/mysql, the access is denied and the syslogs display the errors:
Apr 9 08:33:32 focal64new kernel: [1284313.637719] audit: type=1400 audit(1617957212.052:196): apparmor="DENIED" operation="capable" profile="/usr/bin/xbstream" pid=1124960 comm="xbstream" capability=2 capname="dac_read_search" Apr 9 08:33:32 focal64new kernel: [1284313.637722] audit: type=1400 audit(1617957212.052:197): apparmor="DENIED" operation="capable" profile="/usr/bin/xbstream" pid=1124960 comm="xbstream" capability=1 capname="dac_override"
Some users might stream/encrypt mysql data files to another location.
What should be the apparmor, selinux policy for xbstream and xbcrypt?