From: | Kohei Kaigai <Kohei(dot)Kaigai(at)EU(dot)NEC(dot)COM> |
---|---|
To: | Kohei Kaigai <Kohei(dot)Kaigai(at)EU(dot)NEC(dot)COM>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, PgHacker <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: sepgsql contrib module |
Date: | 2011-02-17 08:56:46 |
Message-ID: | A9F5079BABDEE646AEBDB6831725762C4205B977F3@EUEXCLU01.EU.NEC.COM |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
The attached patch removes rules to build a policy package for regression
test and modifies documentation part to introduce steps to run the test.
Thanks,
--
NEC Europe Ltd, Global Competence Center
KaiGai Kohei <kohei(dot)kaigai(at)eu(dot)nec(dot)com>
> -----Original Message-----
> From: Kohei Kaigai
> Sent: 15 February 2011 18:27
> To: 'Robert Haas'; Tom Lane
> Cc: Andrew Dunstan; Stephen Frost; KaiGai Kohei; PgHacker
> Subject: RE: [HACKERS] sepgsql contrib module
>
>
>
> > -----Original Message-----
> > From: Robert Haas [mailto:robertmhaas(at)gmail(dot)com]
> > Sent: 15 February 2011 16:52
> > To: Tom Lane
> > Cc: Andrew Dunstan; Kohei Kaigai; Stephen Frost; KaiGai Kohei; PgHacker
> > Subject: Re: [HACKERS] sepgsql contrib module
> >
> > On Tue, Feb 15, 2011 at 11:41 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > > Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > >> On Tue, Feb 15, 2011 at 11:01 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > >>> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > >>>> Those are good points. My point was just that you can't actually
> > >>>> build that file at the time you RUN the regression tests, because
> you
> > >>>> have to build it first, then install it, then run the regression
> > >>>> tests. It could be a separate target, like 'make policy', but I
> don't
> > >>>> think it works to make it part of 'make installcheck'.
> > >
> > >>> So? Once you admit that you can do that, it's a matter of a couple
> > more
> > >>> lines to make the installcheck target depend on the policy target
> iff
> > >>> selinux was enabled.
> > >
> > >> Sure, you could do that, but I don't see what problem it would fix.
> > >> You'd still have to build and manually install the policy before you
> > >> could run make installcheck. And once you've done that, you don't
> > >> need to rebuild it every future time you run make installcheck.
> > >
> > > Oh, I see: you're pointing out the root-only "semodule" step that has
> > to
> > > be done in between there. Good point. But the current arrangement
> is
> > > still a mistake: the required contents of sepgsql-regtest.pp depend
> on
> > > the configuration of the test system, which can't be known at build
> > > time.
> > >
> > > So what we should do is offer a "make policy" target and alter the test
> > > instructions to say you should do that and then run semodule. Or maybe
> > > just put the whole "make -f /usr/share/selinux/devel/Makefile" dance
> > > into the instructions --- it doesn't look to me like our makefile
> > > infrastructure really has anything useful to add to that.
> >
> > Yeah, agreed.
> >
> I also agree with this direction. The policy type depends on individual
> installations,
> it is not easy to assume on build time.
> Please wait for a small patch to remove this rule from Makefile and update
> documentation.
>
> As a side note, we can have a build option that does not require selinux
> enabled.
> The reason why Makefile of selinux tries to /selinux/mls is that we don't
> specify
> MLS=1 or MLS=0 explicitly.
> IIRC, the specfile of RHEL/Fedora gives all the Makefile parameters
> explicitly, thus,
> selinux does not need to be enabled on the build server.
> However, it is not a solution in this case. It is not easy to estimate the
> required
> policy type and existence of MLS support on build time.
>
> Thanks,
> --
> NEC Europe Ltd, Global Competence Center
> KaiGai Kohei <kohei(dot)kaigai(at)eu(dot)nec(dot)com>
Attachment | Content-Type | Size |
---|---|---|
sepgsql-policy.1.patch | application/octet-stream | 2.1 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Dimitri Fontaine | 2011-02-17 08:57:13 | Re: Fix corner case for binary upgrade: extension functions in pg_catalog. |
Previous Message | Benjamin S. | 2011-02-17 08:38:51 | rewrite of RECENTLY DEAD tuples |