in MySQL, revoke a privilege after granting a general privilege

Using standard SQL - have have done this repeatedly in PosgresQL and Oracle - I wish to grant a SELECT to all tables in schema1 except secret to user1

grant select on schema1.* to user1;
revoke select on schema1.users from user1;

Received开发者_如何学运维 error:

ERROR 1147 (42000): There is no such grant defined for user 'user1' on host '%' on table 'secret'

What am I doing wrong?

Evidently this is standard MySQL behavior!!

Makes it easier to understand the lack of security sophistication in apps using MySQL - to set up correct user security in MySQL is insanely difficult.

Nothing. MySQL doesn't expand the schema1.* wildcard to the individual tables, nor does it store "exceptions". The permissions tables store the granted permissions. Therefore, since you didn't actually grant anything on schema1.users, there's nothing for MySQL to revoke. It just comes down to how MySQL handles permissions.