From a84c1d3cf5753f63eb212c9b2e757ab6421b1780 Mon Sep 17 00:00:00 2001
From: Lukas Javorsky <ljavorsk@redhat.com>
Date: Tue, 16 Mar 2021 12:43:28 +0100
Subject: [PATCH] Release the version 1.0.3

Delete setuid/setgid capabilities from mysqld_t
---
 mysql.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mysql.te b/mysql.te
index d9dcb32..e1e87d5 100644
--- a/mysql.te
+++ b/mysql.te
@@ -67,8 +67,8 @@ files_pid_file(mysqlmanagerd_var_run_t)
 # Local policy
 #
 
-allow mysqld_t self:capability { dac_read_search  ipc_lock setgid setuid sys_nice sys_resource net_bind_service };
-dontaudit mysqld_t self:capability sys_tty_config;
+allow mysqld_t self:capability { dac_read_search  ipc_lock sys_nice sys_resource net_bind_service };
+dontaudit mysqld_t self:capability sys_tty_config
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
@@ -196,6 +196,7 @@ optional_policy(`
 # Local mysqld_safe policy
 #
 
+# setuig/setgid may be used in mysqld_safe and mysqld_safe_helper
 allow mysqld_safe_t self:capability { chown dac_read_search setgid setuid fowner kill sys_nice sys_resource };
 dontaudit mysqld_safe_t self:capability sys_ptrace;
 allow mysqld_safe_t self:process { setsched getsched setrlimit };