1. Basic ugo/rwx Eunuchs(tm) permissions1.2. This should be taken care of by1.

1. 1. Basic ugo/rwx Eunuchs(tm) permissions
2. 1.2. This should be taken care of by
3. 1.2.1. [cp --permissions ...]
4. 1.2.2. OR [rsync -av ...]
5. 1.2.3. OR [chown -R ...] (as in the OP)
6.  
7. 2. ACLs
8. 2.1. This should be handled by Selinux [semanage fcontext -a .../restorecon -R],
9. 2.2. OR by Apparmor (as in the OP; I don't know the syntax)
10.  
11. 3. Systemd configuration**
12. 3.1. Systemd imposes default restrictions about what files service processes can access
13. 3.2. This should be handled by [Service] directives
14. 3.1.1. Under e.g. in file /etc/systemd/system/mariadb.service.d/something.conf
15. 3.1.2. Such as ProtectHome=, ProtectSystem=, ReadWritePaths=