On 7/6/2023 11:31:53 PM, "Daniel Black via discuss"
<[email protected]> wrote:
For confidence look at strace -fe trace=openat mariabackup and you'll
see the datadir files
are opened O_RDONLY.
I'm not a C programmer but I guess that means the openat(2) calls we can
see mariabackup make aren't reckless, which is good.
In general I trust [Mm]aria* more than I trust myself, which points to
the other problem: my script...
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#BindPaths=
It's also possible to make the /var/lib/mysql readonly for this
service without affecting mariadbd.
Interesting. bind mounts are handy trick in lxc too. systemd is full of
nutritious goodness. I keep meaning to read the manual but it's so long.
Selinux rules can make a tighter constraint, though would impede the
copyback functionality when a restore occurs.
Though could be enforeced on the backup context -
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SELinuxContext=
Many years ago I promised myself a special reward in heaven if I can get
to my grave without having engaged with Selinux.
Thanks for your interest, Daniel
Tom
_______________________________________________
discuss mailing list -- [email protected]
To unsubscribe send an email to [email protected]
