Revert "MDEV-33636: RPM caps is on mariadbd exe"

This was the orginal implementation that reverted with a bunch of commits. This reverts commit a13e521b. Revert "cmake: append to the array correctly" This reverts commit 51e3f1da. Revert "build failure with cmake < 3.10" This reverts commit 49cf702e. Revert "MDEV-33301 memlock with systemd still not working" This reverts commit 8a1904d7.

Revert "MDEV-33636: RPM caps is on mariadbd exe"
This was the orginal implementation that reverted with a bunch of commits. This reverts commit a13e521b. Revert "cmake: append to the array correctly" This reverts commit 51e3f1da. Revert "build failure with cmake < 3.10" This reverts commit 49cf702e. Revert "MDEV-33301 memlock with systemd still not working" This reverts commit 8a1904d7.
ee2ed1a0 · Daniel Black · 987a266d · ee2ed1a0 · 987a266d · ee2ed1a0
Commit ee2ed1a0 authored Mar 20, 2024 by Daniel Black
4 changed files
--- a/cmake/cpack_rpm.cmake
+++ b/cmake/cpack_rpm.cmake
@@ -164,7 +164,6 @@ SET(CPACK_RPM_server_USER_FILELIST
    "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*"
    "%config(noreplace) ${INSTALL_SYSCONFDIR}/logrotate.d/mysql"
    )
-
 SET(CPACK_RPM_common_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONFDIR}/my.cnf")
 SET(CPACK_RPM_shared_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*")
 SET(CPACK_RPM_client_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*")
@@ -180,13 +179,6 @@ MACRO(SETA var)
  ENDFOREACH()
 ENDMACRO(SETA)

-IF (CMAKE_VERSION VERSION_GREATER 3.10.0)
-  # cmake bug #14362
-  SET(CPACK_RPM_server_USER_FILELIST ${CPACK_RPM_server_USER_FILELIST}
-      "%caps(cap_ipc_lock=pe) %{_sbindir}/mariadbd"
-      )
-ENDIF()
-
 SETA(CPACK_RPM_client_PACKAGE_OBSOLETES
  "mysql-client"
  "MySQL-client"

--- a/debian/mariadb-server-core-10.5.postinst
+++ b/debian/mariadb-server-core-10.5.postinst
-#!/bin/sh
-
-set -e
-
-# inspired by iputils-ping
-#
-# cap_ipc_lock is required if a user wants to use --memlock
-# and has insufficient RLIMIT_MEMLOCK (MDEV-33301)
-
-PROGRAM=$(dpkg-divert --truename /usr/sbin/mysqld)
-
-if [ "$1" = configure ]; then
-  # If we have setcap installed, try setting
-  # which allows us to install our binaries without the setuid
-  # bit.
-  if command -v setcap > /dev/null; then
-    if ! setcap cap_ipc_lock+ep "$PROGRAM"; then
-      echo "Setcap failed on $PROGRAM, required with --memlock if insufficent RLIMIT_MEMLOCK" >&2
-    fi
-  fi
-fi
-
-
-#DEBHELPER#
-
-exit 0
--- a/support-files/policy/apparmor/usr.sbin.mysqld
+++ b/support-files/policy/apparmor/usr.sbin.mysqld
@@ -14,7 +14,6 @@

  capability chown,
  capability dac_override,
-  capability ipc_lock,
  capability setgid,
  capability setuid,
  capability sys_rawio,

--- a/support-files/policy/selinux/mariadb-server.te
+++ b/support-files/policy/selinux/mariadb-server.te
@@ -25,7 +25,7 @@ require {
 	class lnk_file read;
 	class process { getattr signull };
 	class unix_stream_socket connectto;
-	class capability { ipc_lock sys_resource sys_nice };
+	class capability { sys_resource sys_nice };
 	class tcp_socket { name_bind name_connect };
 	class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
 	class sock_file { create unlink getattr };
@@ -87,8 +87,6 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };

 # MariaDB additions
 allow mysqld_t self:process setpgid;
-allow mysqld_t self:capability { ipc_lock };
-
 # This rule allows port tcp/4444
 allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
 # This rule allows port tcp/4567 (tram_port_t may not be available on