From 649216e70d87c84b6c78e4cfb26c0afc96d5192e Mon Sep 17 00:00:00 2001
From: Daniel Black <daniel@mariadb.org>
Date: Thu, 25 Sep 2025 07:05:01 +1000
Subject: [PATCH] MDEV-37726 wsrep-new-cluster and wsrep-start-position in
 wrong directory with wrong selinux permissions

After moving the systemd service to using environment files
instead of `systemctl set-environment` in 11.6 (MDEV-19210),
they (wsrep-new-cluster and wsrep-start-position) are located
in /var/lib/mysql along with the socket file in
Fedora/RHEL-based distros. This causes them to have incorrect
selinux permissions and therefore be not readable by systemd.

A solution is to generate these files in the run directory,
instead, which already has correct selinux label mysqld_var_run_t
mysql-selinux-1.0.12. Dissociating these files and the socket
in CMake configs can also prove useful for other things.

This also corrects some of the duplicate code in the build
scripts and made INSTALL_RUNDATADIR into a proper location
and used this for the tmpfiles where the temporary files
are created.

Debian's location is /run/mysqld/ matching its INSTALL_UNIX_ADDRDIR,
which is now a temporary location controlled by tmpfiles.
---
 cmake/install_layout.cmake       |  8 +++++++-
 scripts/galera_new_cluster.sh    |  6 +++---
 support-files/CMakeLists.txt     |  9 +++++----
 support-files/mariadb.service.in | 12 ++++++------
 support-files/tmpfiles.conf.in   | 16 +++++++++++++++-
 5 files changed, 36 insertions(+), 15 deletions(-)

diff --git a/cmake/install_layout.cmake b/cmake/install_layout.cmake
index 877b147bc6e..9410bc7a48a 100644
--- a/cmake/install_layout.cmake
+++ b/cmake/install_layout.cmake
@@ -163,6 +163,7 @@ SET(INSTALL_UNIX_ADDRDIR_RPM            "${INSTALL_MYSQLDATADIR_RPM}/mysql.sock"
 SET(INSTALL_SYSTEMD_UNITDIR_RPM         "/usr/lib/systemd/system")
 SET(INSTALL_SYSTEMD_SYSUSERSDIR_RPM     "/usr/lib/sysusers.d")
 SET(INSTALL_SYSTEMD_TMPFILESDIR_RPM     "/usr/lib/tmpfiles.d")
+SET(INSTALL_RUNDATADIR_RPM              "/run/mariadb")
 SET(INSTALL_PAMDIR_RPM                  "/${INSTALL_LIBDIR_RPM}/security")
 SET(INSTALL_PAMDATADIR_RPM              "/etc/security")
 
@@ -193,7 +194,8 @@ SET(INSTALL_SUPPORTFILESDIR_DEB         "share/mysql")
 #
 SET(INSTALL_MYSQLDATADIR_DEB            "/var/lib/mysql")
 
-SET(INSTALL_UNIX_ADDRDIR_DEB            "/run/mysqld/mysqld.sock")
+SET(INSTALL_RUNDATADIR_DEB              "/run/mysqld")
+SET(INSTALL_UNIX_ADDRDIR_DEB            "${INSTALL_RUNDATADIR_DEB}/mysqld.sock")
 SET(INSTALL_SYSTEMD_UNITDIR_DEB         "/lib/systemd/system")
 SET(INSTALL_SYSTEMD_SYSUSERSDIR_DEB     "/usr/lib/sysusers.d")
 SET(INSTALL_SYSTEMD_TMPFILESDIR_DEB     "/usr/lib/tmpfiles.d")
@@ -257,3 +259,7 @@ IF(NOT MYSQL_UNIX_ADDR)
   SET(MYSQL_UNIX_ADDR ${INSTALL_UNIX_ADDRDIR})
 ENDIF()
 
+IF(NOT INSTALL_RUNDATADIR)
+  get_filename_component(MYSQL_UNIX_DIR ${MYSQL_UNIX_ADDR} DIRECTORY)
+  SET(INSTALL_RUNDATADIR "${MYSQL_UNIX_DIR}" CACHE FILEPATH "Rundata installation directory" ${FORCE})
+ENDIF()
diff --git a/scripts/galera_new_cluster.sh b/scripts/galera_new_cluster.sh
index ac9dcf42102..b0aef8e05d2 100755
--- a/scripts/galera_new_cluster.sh
+++ b/scripts/galera_new_cluster.sh
@@ -21,11 +21,11 @@ EOF
     exit 0
 fi
 
-systemctl set-environment _WSREP_NEW_CLUSTER='--wsrep-new-cluster' && \
-    systemctl restart ${1:-mariadb}
+echo _WSREP_NEW_CLUSTER='--wsrep-new-cluster' > "@INSTALL_RUNDATADIR@/wsrep-new-cluster" && \
+    systemctl restart mariadb.service
 
 extcode=$?
 
-systemctl set-environment _WSREP_NEW_CLUSTER=''
+rm -f "@INSTALL_RUNDATADIR@/wsrep-new-cluster"
 
 exit $extcode
diff --git a/support-files/CMakeLists.txt b/support-files/CMakeLists.txt
index 2c88a8a334d..027e8e6a786 100644
--- a/support-files/CMakeLists.txt
+++ b/support-files/CMakeLists.txt
@@ -45,8 +45,6 @@ ELSE()
   IF(DEB)
     SET(su_user "#su mysql mysql")
   ENDIF()
-  get_filename_component(MYSQL_UNIX_DIR ${MYSQL_UNIX_ADDR} DIRECTORY)
-  SET(mysqlunixdir ${MYSQL_UNIX_DIR})
 ENDIF()
 
 # XXX: shouldn't we just have variables for all this stuff and centralise
@@ -212,8 +210,11 @@ IF(UNIX AND NOT WITHOUT_SERVER)
             RENAME mariadb.conf COMPONENT Server)
   ENDIF()
 
-  IF((HAVE_SYSTEMD OR INSTALL_SYSTEMD_TMPUSERS) AND INSTALL_SYSTEMD_TMPFILESDIR)
-    get_filename_component(MYSQL_UNIX_DIR ${MYSQL_UNIX_ADDR} DIRECTORY)
+  IF((HAVE_SYSTEMD OR INSTALL_SYSTEMD_TMPUSERS) AND INSTALL_SYSTEMD_TMPFILESDIR
+     AND INSTALL_RUNDATADIR)
+    IF(MYSQL_DATADIR STREQUAL INSTALL_RUNDATADIR)
+      SET(DISABLE_TMP "#")
+    ENDIF()
     CONFIGURE_FILE(tmpfiles.conf.in
             ${CMAKE_CURRENT_BINARY_DIR}/tmpfiles.conf @ONLY)
     INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/tmpfiles.conf
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index a7c76caafbe..fff9ba762bb 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -66,22 +66,22 @@ ProtectHome=true
 PermissionsStartOnly=true
 
 # Use an environment file to pass variable _WSREP_NEW_CLUSTER
-EnvironmentFile=-@mysqlunixdir@/wsrep-new-cluster
+EnvironmentFile=-@INSTALL_RUNDATADIR@/wsrep-new-cluster
 
 # Use an environment file to pass variable _WSREP_START_POSITION
-EnvironmentFile=-@mysqlunixdir@/wsrep-start-position
+EnvironmentFile=-@INSTALL_RUNDATADIR@/wsrep-start-position
 
 @SYSTEMD_EXECSTARTPRE@
 
 # Perform automatic wsrep recovery. When server is started without wsrep,
 # galera_recovery simply returns an empty string. In any case, however,
 # the script is not expected to return with a non-zero status.
-# It is always safe to remove @mysqlunixdir@/wsrep-start-position
+# It is always safe to remove @INSTALL_RUNDATADIR@/wsrep-start-position
 # environment file.
 # Do not panic if galera_recovery script is not available. (MDEV-10538)
 ExecStartPre=/bin/sh -c "[ ! -e @bindir@/galera_recovery ] && VAR= || \
  VAR=`@bindir@/galera_recovery`; [ $? -eq 0 ] \
- && echo _WSREP_START_POSITION=$VAR > @mysqlunixdir@/wsrep-start-position || exit 1"
+ && echo _WSREP_START_POSITION=$VAR > @INSTALL_RUNDATADIR@/wsrep-start-position || exit 1"
 
 # Needed to create system tables etc.
 # ExecStartPre=@scriptdir@/mariadb-install-db -u mysql
@@ -93,8 +93,8 @@ ExecStartPre=/bin/sh -c "[ ! -e @bindir@/galera_recovery ] && VAR= || \
 # _WSREP_NEW_CLUSTER is for the exclusive use of the script galera_new_cluster
 ExecStart=@sbindir@/mariadbd $MYSQLD_OPTS $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION
 
-# Unset _WSREP_START_POSITION environment variable.
-ExecStartPost=/bin/rm -f @mysqlunixdir@/wsrep-start-position
+# Unset _WSREP_START_POSITION/_WSREP_NEW_CLUSTER environment variable.
+ExecStartPost=/bin/rm -f @INSTALL_RUNDATADIR@/wsrep-start-position @INSTALL_RUNDATADIR@/wsrep-new-cluster
 
 @SYSTEMD_EXECSTARTPOST@
 
diff --git a/support-files/tmpfiles.conf.in b/support-files/tmpfiles.conf.in
index 03d66abc0c7..e67756f128a 100644
--- a/support-files/tmpfiles.conf.in
+++ b/support-files/tmpfiles.conf.in
@@ -1 +1,15 @@
-d @MYSQL_UNIX_DIR@ 0755 @MYSQLD_USER@ @MYSQLD_USER@ -
+# This is the directory where the unix socket
+# of MariaDB may be created.
+#
+# Under Galera this is where an envfile of
+# the Galera start position is stored.
+#
+# Other temporary directories can be created here like:
+# * tmpdir
+# * innodb_tmpdir
+# * innodb_temp_data_file_path
+# * rocksdb_tmpdir
+# etc.
+# It shouldn't be used for datadir which is why it
+# may be disabled.
+@DISABLE_TMP@d @INSTALL_RUNDATADIR@ 0755 @MYSQLD_USER@ @MYSQLD_USER@ -