diff --git a/cmake/cpack_rpm.cmake b/cmake/cpack_rpm.cmake
index 65a739dc03e..414b4f6a902 100644
--- a/cmake/cpack_rpm.cmake
+++ b/cmake/cpack_rpm.cmake
@@ -163,6 +163,7 @@ SET(CPACK_RPM_server_USER_FILELIST
     ${ignored}
     "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*"
     "%config(noreplace) ${INSTALL_SYSCONFDIR}/logrotate.d/mysql"
+    "%caps(cap_ipc_lock=pe) %{_sbindir}/mysqld"
     )
 SET(CPACK_RPM_common_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONFDIR}/my.cnf")
 SET(CPACK_RPM_shared_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*")
diff --git a/debian/mariadb-server-core-10.5.postinst b/debian/mariadb-server-core-10.5.postinst
new file mode 100644
index 00000000000..5f79bed2402
--- /dev/null
+++ b/debian/mariadb-server-core-10.5.postinst
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -e
+
+# inspired by iputils-ping
+#
+# cap_ipc_lock is required if a user wants to use --memlock
+# and has insufficient RLIMIT_MEMLOCK (MDEV-33301)
+
+PROGRAM=$(dpkg-divert --truename /usr/sbin/mysqld)
+
+if [ "$1" = configure ]; then
+  # If we have setcap installed, try setting
+  # which allows us to install our binaries without the setuid
+  # bit.
+  if command -v setcap > /dev/null; then
+    if ! setcap cap_ipc_lock+ep "$PROGRAM"; then
+      echo "Setcap failed on $PROGRAM, required with --memlock if insufficent RLIMIT_MEMLOCK" >&2
+    fi
+  fi
+fi
+
+
+#DEBHELPER#
+
+exit 0
diff --git a/support-files/policy/apparmor/usr.sbin.mysqld b/support-files/policy/apparmor/usr.sbin.mysqld
index c60ecd28531..732f4b3a97a 100644
--- a/support-files/policy/apparmor/usr.sbin.mysqld
+++ b/support-files/policy/apparmor/usr.sbin.mysqld
@@ -14,6 +14,7 @@
 
   capability chown,
   capability dac_override,
+  capability ipc_lock,
   capability setgid,
   capability setuid,
   capability sys_rawio,
diff --git a/support-files/policy/selinux/mariadb-server.te b/support-files/policy/selinux/mariadb-server.te
index 89846063506..ba53c97d4a8 100644
--- a/support-files/policy/selinux/mariadb-server.te
+++ b/support-files/policy/selinux/mariadb-server.te
@@ -25,7 +25,7 @@ require {
 	class lnk_file read;
 	class process { getattr signull };
 	class unix_stream_socket connectto;
-	class capability { sys_resource sys_nice };
+	class capability { ipc_lock sys_resource sys_nice };
 	class tcp_socket { name_bind name_connect };
 	class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
 	class sock_file { create unlink getattr };
@@ -87,6 +87,8 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
 
 # MariaDB additions
 allow mysqld_t self:process setpgid;
+allow mysqld_t self:capability { ipc_lock };
+
 # This rule allows port tcp/4444
 allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
 # This rule allows port tcp/4567 (tram_port_t may not be available on