Comment 1 for bug 1095370

You can also work around this by setting the mysql profile into complain mode. Edit /etc/apparmor.d/usr.sbin.mysqld and change the line

/usr/sbin/mysqld {

to

/usr/sbin/mysqld flags=(complain) {

then reload the profile with

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld

after this I no longer get the 'Can't create test file' warnings.

However it would seem better for the application code to automatically update the /etc/apparmor.d/local/usr.sbin.mysqld file as it learns of paths. This would be similar to how libvirt uses virt-aa-helper to update policies for qemu VMs to allow access to the block devices (etc) listed in the VM specification.

Is there a better way you can think of to accomodate this use case (without giving up the protection against mysql using arbitrary paths)?