MDEV-11676 Starting service with mysqld_safe_helper fails in SELINUX "enforcing" mode

compile, and install selinux policy for mysqld_safe_helper on centos6.
the policy was created as described in https://mariadb.com/kb/en/mariadb/what-to-do-if-mariadb-doesnt-start/#other-selinux-changes

Author: vuvova

.gitignore

@@ -221,6 +221,7 @@ support-files/mysql.spec
 support-files/mysqld_multi.server
 support-files/wsrep.cnf
 support-files/wsrep_notify
+support-files/SELinux/centos6-mariadb.pp
 tags
 tests/async_queries
 tests/bug25714

support-files/CMakeLists.txt

@@ -67,7 +67,7 @@ IF(UNIX)
   ENDFOREACH()
   IF(INSTALL_SUPPORTFILESDIR)
     INSTALL(FILES magic DESTINATION ${inst_location} COMPONENT SupportFiles)
-    INSTALL(DIRECTORY RHEL4-SElinux/ DESTINATION ${inst_location}/SELinux/RHEL4 COMPONENT SupportFiles)
+    ADD_SUBDIRECTORY(SELinux)
   ENDIF()
 
   INSTALL(FILES mysql.m4 DESTINATION ${INSTALL_SHAREDIR}/aclocal COMPONENT Development)

support-files/SELinux/CMakeLists.txt

@@ -0,0 +1,35 @@
+# Copyright (c) 2017, MariaDB
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+
+FIND_PROGRAM(CHECKMODULE checkmodule)
+FIND_PROGRAM(SEMODULE_PACKAGE semodule_package)
+MARK_AS_ADVANCED(CHECKMODULE SEMODULE_PACKAGE)
+
+SET(params DESTINATION ${INSTALL_SUPPORTFILESDIR}/SELinux COMPONENT SupportFiles)
+
+IF(CHECKMODULE AND SEMODULE_PACKAGE)
+  FOREACH(pol centos6-mariadb)
+    SET(src ${CMAKE_CURRENT_SOURCE_DIR}/${pol}.te)
+    SET(mod ${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${pol}-pp.dir/${pol}.mod)
+    SET(out ${CMAKE_CURRENT_BINARY_DIR}/${pol}.pp)
+    ADD_CUSTOM_COMMAND(OUTPUT ${out}
+      COMMAND ${CHECKMODULE} -M -m ${src} -o ${mod}
+      COMMAND ${SEMODULE_PACKAGE} -m ${mod} -o ${out}
+      DEPENDS ${src})
+    ADD_CUSTOM_TARGET(${pol}-pp ALL DEPENDS ${out})
+    INSTALL(FILES ${out} ${params})
+  ENDFOREACH()
+ENDIF()
+INSTALL(FILES centos6-mariadb.te rhel4-mysql.fc rhel4-mysql.te ${params})

support-files/SELinux/centos6-mariadb.te

@@ -0,0 +1,9 @@
+module mariadb 1.0;
+
+require {
+        type mysqld_safe_t;
+        class capability { setuid setgid };
+}
+
+#============= mysqld_safe_t ==============
+allow mysqld_safe_t self:capability { setuid setgid };

support-files/RHEL4-SElinux/mysql.fc renamed to support-files/SELinux/rhel4-mysql.fc

@@ -79,7 +79,12 @@ if [ -f /etc/redhat-release ] ; then
      echo '       make load'
      echo
      echo
-  fi
+   fi
+   if grep 'CentOS release 6' /etc/redhat-release >/dev/null 2>&1; then
+     if [ -x /usr/sbin/semodule ] ; then
+       /usr/sbin/semodule -i /usr/share/mysql/SELinux/centos6-mariadb.pp
+     fi
+   fi
 fi
 
 if [ -x sbin/restorecon ] ; then