[Unit]
Description=MySQL database server
After=syslog.target
After=network.target
Conflicts=mariadb.service

[Service]
Type=simple
User=mysql
Group=mysql

# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
# https://bugzilla.redhat.com/show_bug.cgi?id=547485
ExecStart=/usr/sbin/mysqld --basedir=/usr
ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID

# Give a reasonable amount of time for the server to start up/shut down
TimeoutSec=300

# We rely on systemd, not mysqld_safe, to restart mysqld if it dies
# Restart crashed server only, on-failure would also restart, for example, when
# my.cnf contains unknown option
Restart=on-abort
RestartSec=5s

# Place temp files in a secure directory, not /tmp
PrivateTmp=true

# To allow memlock to be used as non-root user if set in configuration
CapabilityBoundingSet=CAP_IPC_LOCK

# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full

# Currently has issues with SELinux https://jira.mariadb.org/browse/MDEV-10404
# This is safe to uncomment when not using SELinux
#NoNewPrivileges=true

PrivateDevices=true

# Prevent accessing /home, /root and /run/user
ProtectHome=true

UMask=007

[Install]
WantedBy=multi-user.target