Re: sepgsql contrib module

The attached patch removes rules to build a policy package for regression
test and modifies documentation part to introduce steps to run the test.

Thanks,
--
NEC Europe Ltd, Global Competence Center
KaiGai Kohei <kohei(dot)kaigai(at)eu(dot)nec(dot)com>

> -----Original Message-----
> From: Kohei Kaigai
> Sent: 15 February 2011 18:27
> To: 'Robert Haas'; Tom Lane
> Cc: Andrew Dunstan; Stephen Frost; KaiGai Kohei; PgHacker
> Subject: RE: [HACKERS] sepgsql contrib module
>
>
>
> > -----Original Message-----
> > From: Robert Haas [mailto:robertmhaas(at)gmail(dot)com]
> > Sent: 15 February 2011 16:52
> > To: Tom Lane
> > Cc: Andrew Dunstan; Kohei Kaigai; Stephen Frost; KaiGai Kohei; PgHacker
> > Subject: Re: [HACKERS] sepgsql contrib module
> >
> > On Tue, Feb 15, 2011 at 11:41 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > > Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > >> On Tue, Feb 15, 2011 at 11:01 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > >>> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > >>>> Those are good points.  My point was just that you can't actually
> > >>>> build that file at the time you RUN the regression tests, because
> you
> > >>>> have to build it first, then install it, then run the regression
> > >>>> tests.  It could be a separate target, like 'make policy', but I
> don't
> > >>>> think it works to make it part of 'make installcheck'.
> > >
> > >>> So?  Once you admit that you can do that, it's a matter of a couple
> > more
> > >>> lines to make the installcheck target depend on the policy target
> iff
> > >>> selinux was enabled.
> > >
> > >> Sure, you could do that, but I don't see what problem it would fix.
> > >> You'd still have to build and manually install the policy before you
> > >> could run make installcheck.  And once you've done that, you don't
> > >> need to rebuild it every future time you run make installcheck.
> > >
> > > Oh, I see: you're pointing out the root-only "semodule" step that has
> > to
> > > be done in between there.  Good point.  But the current arrangement
> is
> > > still a mistake: the required contents of sepgsql-regtest.pp depend
> on
> > > the configuration of the test system, which can't be known at build
> > > time.
> > >
> > > So what we should do is offer a "make policy" target and alter the test
> > > instructions to say you should do that and then run semodule.  Or maybe
> > > just put the whole "make -f /usr/share/selinux/devel/Makefile" dance
> > > into the instructions --- it doesn't look to me like our makefile
> > > infrastructure really has anything useful to add to that.
> >
> > Yeah, agreed.
> >
> I also agree with this direction. The policy type depends on individual
> installations,
> it is not easy to assume on build time.
> Please wait for a small patch to remove this rule from Makefile and update
> documentation.
>
> As a side note, we can have a build option that does not require selinux
> enabled.
> The reason why Makefile of selinux tries to /selinux/mls is that we don't
> specify
> MLS=1 or MLS=0 explicitly.
> IIRC, the specfile of RHEL/Fedora gives all the Makefile parameters
> explicitly, thus,
> selinux does not need to be enabled on the build server.
> However, it is not a solution in this case. It is not easy to estimate the
> required
> policy type and existence of MLS support on build time.
>
> Thanks,
> --
> NEC Europe Ltd, Global Competence Center
> KaiGai Kohei <kohei(dot)kaigai(at)eu(dot)nec(dot)com>