after this I no longer get the 'Can't create test file' warnings.
However it would seem better for the application code to automatically update the /etc/apparmor.d/local/usr.sbin.mysqld file as it learns of paths. This would be similar to how libvirt uses virt-aa-helper to update policies for qemu VMs to allow access to the block devices (etc) listed in the VM specification.
Is there a better way you can think of to accomodate this use case (without giving up the protection against mysql using arbitrary paths)?
You can also work around this by setting the mysql profile into complain mode. Edit /etc/apparmor. d/usr.sbin. mysqld and change the line
/usr/sbin/mysqld {
to
/usr/sbin/mysqld flags=(complain) {
then reload the profile with
sudo apparmor_parser -r /etc/apparmor. d/usr.sbin. mysqld
after this I no longer get the 'Can't create test file' warnings.
However it would seem better for the application code to automatically update the /etc/apparmor. d/local/ usr.sbin. mysqld file as it learns of paths. This would be similar to how libvirt uses virt-aa-helper to update policies for qemu VMs to allow access to the block devices (etc) listed in the VM specification.
Is there a better way you can think of to accomodate this use case (without giving up the protection against mysql using arbitrary paths)?