Comment 17 for bug 375371

I'm slightly confused. These build tests are using an installed, live mysql server and create temporary files somewhere in such a way that mysqld needs to read them?

If that is the case, then maybe we could add to the mysqld profile something like:
  owner /var/tmp/mysql/** rwkl,
  owner /var/tmp/mysql/* rw,
  /var/tmp/mysql-buildtests/** r,
  /var/tmp/mysql-buildtests/ r,

Then do:
# mkdir -m 0770 /var/tmp/mysql
# chown mysql:mysql
# mkdir -m 1113 /var/tmp/mysql-buildtests
# chown mysql:mysql /var/tmp/mysql-buildtests

This should allow any user to write to anything in /var/tmp/mysql-buildtests, after which testsuites can invoke mysqld with the proper arguments for tmpdir being /var/tmp/mysql and reading specific files in /var/tmp/mysql-buildtests. The idea is that under normal circumstances, mysqld would ignore /var/tmp/mysql-buildtests/, but in the face of an attack both DAC and AppArmor prevent writing to /var/tmp/mysql-buildtests. We use the weird '1113' permissions on /var/tmp/mysql-buildtests to create a sticky directory to allow 'other' to create files in the directory, but mysql can only read from this directory. DAC prevents regular users from reading /var/tmp/mysql. This should mitigate bug #578922 while allowing for test suites to run.

It would be great if others could review my suggestion.