Revert "MDEV-33636: RPM caps is on mariadbd exe"

This was the orginal implementation that reverted with a bunch of commits. This reverts commit a13e521. Revert "cmake: append to the array correctly" This reverts commit 51e3f1d. Revert "build failure with cmake < 3.10" This reverts commit 49cf702. Revert "MDEV-33301 memlock with systemd still not working" This reverts commit 8a1904d.
MariaDB · Mar 27, 2024 · ee2ed1a · ee2ed1a
1 parent 987a266
commit ee2ed1a
Show file tree

Hide file tree

Showing 4 changed files with 1 addition and 38 deletions.
diff --git a/cmake/cpack_rpm.cmake b/cmake/cpack_rpm.cmake
@@ -164,7 +164,6 @@ SET(CPACK_RPM_server_USER_FILELIST
     "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*"
     "%config(noreplace) ${INSTALL_SYSCONFDIR}/logrotate.d/mysql"
     )
-
 SET(CPACK_RPM_common_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONFDIR}/my.cnf")
 SET(CPACK_RPM_shared_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*")
 SET(CPACK_RPM_client_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*")
@@ -180,13 +179,6 @@ MACRO(SETA var)
   ENDFOREACH()
 ENDMACRO(SETA)
 
-IF (CMAKE_VERSION VERSION_GREATER 3.10.0)
-  # cmake bug #14362
-  SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
-      "%caps(cap_ipc_lock=pe) %{_sbindir}/mariadbd"
-      )
-ENDIF()
-
 SETA(CPACK_RPM_client_PACKAGE_OBSOLETES
   "mysql-client"
   "MySQL-client"

diff --git a/debian/mariadb-server-core-10.5.postinst b/debian/mariadb-server-core-10.5.postinst
diff --git a/support-files/policy/apparmor/usr.sbin.mysqld b/support-files/policy/apparmor/usr.sbin.mysqld
@@ -14,7 +14,6 @@
 
   capability chown,
   capability dac_override,
-  capability ipc_lock,
   capability setgid,
   capability setuid,
   capability sys_rawio,

diff --git a/support-files/policy/selinux/mariadb-server.te b/support-files/policy/selinux/mariadb-server.te
@@ -25,7 +25,7 @@ require {
 	class lnk_file read;
 	class process { getattr signull };
 	class unix_stream_socket connectto;
-	class capability { ipc_lock sys_resource sys_nice };
+	class capability { sys_resource sys_nice };
 	class tcp_socket { name_bind name_connect };
 	class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
 	class sock_file { create unlink getattr };
@@ -87,8 +87,6 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
 
 # MariaDB additions
 allow mysqld_t self:process setpgid;
-allow mysqld_t self:capability { ipc_lock };
-
 # This rule allows port tcp/4444
 allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
 # This rule allows port tcp/4567 (tram_port_t may not be available on