From ee2ed1a036891239c102eab108e0b9d8d641ede0 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 20 Mar 2024 16:30:11 +1100 Subject: [PATCH] Revert "MDEV-33636: RPM caps is on mariadbd exe" This was the orginal implementation that reverted with a bunch of commits. This reverts commit a13e521bc51d3ad9bb6e8e6481a0c8dea3b648a7. Revert "cmake: append to the array correctly" This reverts commit 51e3f1daf54309d14fe8db438024d88aa110e86a. Revert "build failure with cmake < 3.10" This reverts commit 49cf702ee54040cefcab67f6758c233a6370f5d0. Revert "MDEV-33301 memlock with systemd still not working" This reverts commit 8a1904d7825f9897cd237fc6a1d8a57a9f2108de. --- cmake/cpack_rpm.cmake | 8 ------ debian/mariadb-server-core-10.5.postinst | 26 ------------------- support-files/policy/apparmor/usr.sbin.mysqld | 1 - .../policy/selinux/mariadb-server.te | 4 +-- 4 files changed, 1 insertion(+), 38 deletions(-) delete mode 100644 debian/mariadb-server-core-10.5.postinst diff --git a/cmake/cpack_rpm.cmake b/cmake/cpack_rpm.cmake index 9383ae8c13b..65a739dc03e 100644 --- a/cmake/cpack_rpm.cmake +++ b/cmake/cpack_rpm.cmake @@ -164,7 +164,6 @@ SET(CPACK_RPM_server_USER_FILELIST "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*" "%config(noreplace) ${INSTALL_SYSCONFDIR}/logrotate.d/mysql" ) - SET(CPACK_RPM_common_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONFDIR}/my.cnf") SET(CPACK_RPM_shared_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*") SET(CPACK_RPM_client_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*") @@ -180,13 +179,6 @@ MACRO(SETA var) ENDFOREACH() ENDMACRO(SETA) -IF (CMAKE_VERSION VERSION_GREATER 3.10.0) - # cmake bug #14362 - SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST} - "%caps(cap_ipc_lock=pe) %{_sbindir}/mariadbd" - ) -ENDIF() - SETA(CPACK_RPM_client_PACKAGE_OBSOLETES "mysql-client" "MySQL-client" diff --git a/debian/mariadb-server-core-10.5.postinst b/debian/mariadb-server-core-10.5.postinst deleted file mode 100644 index 5f79bed2402..00000000000 --- a/debian/mariadb-server-core-10.5.postinst +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -set -e - -# inspired by iputils-ping -# -# cap_ipc_lock is required if a user wants to use --memlock -# and has insufficient RLIMIT_MEMLOCK (MDEV-33301) - -PROGRAM=$(dpkg-divert --truename /usr/sbin/mysqld) - -if [ "$1" = configure ]; then - # If we have setcap installed, try setting - # which allows us to install our binaries without the setuid - # bit. - if command -v setcap > /dev/null; then - if ! setcap cap_ipc_lock+ep "$PROGRAM"; then - echo "Setcap failed on $PROGRAM, required with --memlock if insufficent RLIMIT_MEMLOCK" >&2 - fi - fi -fi - - -#DEBHELPER# - -exit 0 diff --git a/support-files/policy/apparmor/usr.sbin.mysqld b/support-files/policy/apparmor/usr.sbin.mysqld index 732f4b3a97a..c60ecd28531 100644 --- a/support-files/policy/apparmor/usr.sbin.mysqld +++ b/support-files/policy/apparmor/usr.sbin.mysqld @@ -14,7 +14,6 @@ capability chown, capability dac_override, - capability ipc_lock, capability setgid, capability setuid, capability sys_rawio, diff --git a/support-files/policy/selinux/mariadb-server.te b/support-files/policy/selinux/mariadb-server.te index ba53c97d4a8..89846063506 100644 --- a/support-files/policy/selinux/mariadb-server.te +++ b/support-files/policy/selinux/mariadb-server.te @@ -25,7 +25,7 @@ require { class lnk_file read; class process { getattr signull }; class unix_stream_socket connectto; - class capability { ipc_lock sys_resource sys_nice }; + class capability { sys_resource sys_nice }; class tcp_socket { name_bind name_connect }; class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink }; class sock_file { create unlink getattr }; @@ -87,8 +87,6 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl }; # MariaDB additions allow mysqld_t self:process setpgid; -allow mysqld_t self:capability { ipc_lock }; - # This rule allows port tcp/4444 allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect }; # This rule allows port tcp/4567 (tram_port_t may not be available on