# vim:syntax=apparmor
# Last Modified: Fri Feb 28 18:06:30 2014
#include <tunables/global>

/usr/sbin/mysqld {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

# Allow config access
  /etc/mysql/conf.d/ r,
  /etc/mysql/conf.d/*.cnf r,
  /etc/mysql/*.cnf r,

# Allow pid and socket file access
  /run/mysqld/mysqld.pid rw,
  /run/mysqld/mysqld.sock w,

# Allow read/ write to /tmp
  /tmp/ r,
  /tmp/* rw,

# Allow execution of server binary
  /usr/sbin/mysqld mr,
  /usr/sbin/mysqld-debug mr,

# Allow plugin access
  /usr/lib/mysql/plugin/ r,
  /usr/lib/mysql/plugin/*.so* mr,

# Allow error msg and charset access
  /usr/share/mysql/ r,
  /usr/share/mysql/** r,

# Allow data dir access
  /var/lib/mysql/ r,
  /var/lib/mysql/** rwk,

# Allow log file access
  /var/log/mysql/ r,
  /var/log/mysql/** rw,
}
