#include /usr/bin/wsrep_sst_xtrabackup-v2 flags=(attach_disconnected complain) { #include #include #include #include #include # Allow system resource access /sys/devices/system/node/ r, /sys/devices/system/node/** r, # Allow network access network tcp, /etc/hosts.allow r, /etc/hosts.deny r, # Allow config access /etc/mysql/** r, # Allow pid, socket, socket lock file access /{,var/}run/mysqld/mysqld.pid rw, /{,var/}run/mysqld/mysqld.sock rw, /{,var/}run/mysqld/mysqld.sock.lock rw, /{,var/}run/mysqld/mysqlx.sock rw, /{,var/}run/mysqld/mysqlx.sock.lock rw, # Allow plugin access /usr/lib/mysql/plugin/ r, /usr/lib/mysql/plugin/*.so* mr, # Allow error msg and charset access /usr/share/mysql/ r, /usr/share/mysql/** r, /usr/share/mysql-@MYSQL_BASE_VERSION@/ r, /usr/share/mysql-@MYSQL_BASE_VERSION@/** r, # Allow data dir access /var/lib/mysql/ r, /var/lib/mysql/** rwk, # Allow access to openssl config /etc/ssl/openssl.cnf r, # Allow systemd notify messages /{,var/}run/systemd/notify rw, /bin/?ash ixmr, /bin/sh ix, /{,usr/}bin/awk ix, /{,usr/}bin/perl PUx, /{,usr/}bin/openssl ixr, /{,usr/}bin/diff ixr, # Donor side /dev/tty wr, /bin/grep PUx, /bin/rm ix, /bin/ps PUx, /bin/mktemp ix, /bin/cat ix, /bin/sleep ix, /{,usr/}bin/cut ix, /{,usr/}bin/which ixr, /{,usr/}bin/dirname ix, /{,usr/}bin/gawk ix, /{,usr/}bin/my_print_defaults ix, /{,usr/}bin/tail ix, /{,usr/}bin/pxc_extra/** ixr, /{,usr/}bin/head PUx, /{,usr/}bin/tr ix, /{,usr/}bin/expr ixr, /{,usr/}bin/fold ixr, /{,usr/}bin/basename ixr, /{,usr/}bin/socat ix, /{,usr/}bin/wsrep_sst_* ixrw, # Joiner side (exclusive for joiner) /bin/ls PUx, /bin/mkdir ix, /bin/readlink PUx, /{,usr/}bin/touch ix, /{,usr/}bin/id ix, /{,usr/}bin/timeout ix, /{,usr/}bin/find ixr, /{,usr/}bin/mysqladmin ixr, /{,usr/}bin/mysql ixr, /{,usr/}sbin/mysqld ix, }