MDEV-11676 Starting service with mysqld_safe_helper fails in SELINUX "enforcing" mode

compile, and install selinux policy for mysqld_safe_helper on centos6.
the policy was created as described in https://mariadb.com/kb/en/mariadb/what-to-do-if-mariadb-doesnt-start/#other-selinux-changes

6 files changed, 51 insertions, 2 deletions

diff --git a/support-files/CMakeLists.txt b/support-files/CMakeLists.txt
index 4677bd59415..67a7b508e33 100644
--- a/support-files/CMakeLists.txt
+++ b/support-files/CMakeLists.txt
@@ -67,7 +67,7 @@ IF(UNIX)
   ENDFOREACH()
   IF(INSTALL_SUPPORTFILESDIR)
     INSTALL(FILES magic DESTINATION ${inst_location} COMPONENT SupportFiles)
-    INSTALL(DIRECTORY RHEL4-SElinux/ DESTINATION ${inst_location}/SELinux/RHEL4 COMPONENT SupportFiles)
+    ADD_SUBDIRECTORY(SELinux)
   ENDIF()
 
   INSTALL(FILES mysql.m4 DESTINATION ${INSTALL_SHAREDIR}/aclocal COMPONENT Development)
diff --git a/support-files/SELinux/CMakeLists.txt b/support-files/SELinux/CMakeLists.txt
new file mode 100644
index 00000000000..e3cdb26ca8f
--- /dev/null
+++ b/support-files/SELinux/CMakeLists.txt
@@ -0,0 +1,35 @@
+# Copyright (c) 2017, MariaDB
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+
+FIND_PROGRAM(CHECKMODULE checkmodule)
+FIND_PROGRAM(SEMODULE_PACKAGE semodule_package)
+MARK_AS_ADVANCED(CHECKMODULE SEMODULE_PACKAGE)
+
+SET(params DESTINATION ${INSTALL_SUPPORTFILESDIR}/SELinux COMPONENT SupportFiles)
+
+IF(CHECKMODULE AND SEMODULE_PACKAGE)
+  FOREACH(pol centos6-mariadb)
+    SET(src ${CMAKE_CURRENT_SOURCE_DIR}/${pol}.te)
+    SET(mod ${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${pol}-pp.dir/${pol}.mod)
+    SET(out ${CMAKE_CURRENT_BINARY_DIR}/${pol}.pp)
+    ADD_CUSTOM_COMMAND(OUTPUT ${out}
+      COMMAND ${CHECKMODULE} -M -m ${src} -o ${mod}
+      COMMAND ${SEMODULE_PACKAGE} -m ${mod} -o ${out}
+      DEPENDS ${src})
+    ADD_CUSTOM_TARGET(${pol}-pp ALL DEPENDS ${out})
+    INSTALL(FILES ${out} ${params})
+  ENDFOREACH()
+ENDIF()
+INSTALL(FILES centos6-mariadb.te rhel4-mysql.fc rhel4-mysql.te ${params})
diff --git a/support-files/SELinux/centos6-mariadb.te b/support-files/SELinux/centos6-mariadb.te
new file mode 100644
index 00000000000..1d3de52c700
--- /dev/null
+++ b/support-files/SELinux/centos6-mariadb.te
@@ -0,0 +1,9 @@
+module mariadb 1.0;
+
+require {
+        type mysqld_safe_t;
+        class capability { setuid setgid };
+}
+
+#============= mysqld_safe_t ==============
+allow mysqld_safe_t self:capability { setuid setgid };
diff --git a/support-files/RHEL4-SElinux/mysql.fc b/support-files/SELinux/rhel4-mysql.fc
index aa0fced4bbc..aa0fced4bbc 100644
--- a/support-files/RHEL4-SElinux/mysql.fc
+++ b/support-files/SELinux/rhel4-mysql.fc
diff --git a/support-files/RHEL4-SElinux/mysql.te b/support-files/SELinux/rhel4-mysql.te
index d2609244640..d2609244640 100644
--- a/support-files/RHEL4-SElinux/mysql.te
+++ b/support-files/SELinux/rhel4-mysql.te
diff --git a/support-files/rpm/server-postin.sh b/support-files/rpm/server-postin.sh
index cd2aec4d84a..377a752824d 100644
--- a/support-files/rpm/server-postin.sh
+++ b/support-files/rpm/server-postin.sh
@@ -79,7 +79,12 @@ if [ -f /etc/redhat-release ] ; then
      echo '       make load'
      echo
      echo
-  fi
+   fi
+   if grep 'CentOS release 6' /etc/redhat-release >/dev/null 2>&1; then
+     if [ -x /usr/sbin/semodule ] ; then
+       /usr/sbin/semodule -i /usr/share/mysql/SELinux/centos6-mariadb.pp
+     fi
+   fi
 fi
 
 if [ -x sbin/restorecon ] ; then