| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Joe Conway <mail(at)joeconway(dot)com> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: contrib/sepgsql regression tests have been broken for months |
| Date: | 2025-10-29 23:36:03 |
| Message-ID: | 2922181.1761780963@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I wrote:
> ... I think the expectation is that you turned on
> sepgsql_regression_test_mode manually before enabling this buildfarm
> test. I don't understand how < 18 would be passing if it weren't on,
> so the likely bet is that the test_sepgsql script is mistaken about
> how it's checking that. Said script does work for me, but maybe
> RHEL7's getsebool output is different from later versions?
No, wait ... test_sepgsql is what we were using before, but 18 and
HEAD should be running contrib/sepgsql/t/001_sepgsql.pl. And
rhino's HEAD run does reflect that:
[15:04:03.343](0.010s) # checking selinux environment
[15:04:03.343](0.000s) # checking for matchpathcon
[15:04:03.353](0.010s) # checking for runcon
[15:04:03.361](0.008s) # checking for sestatus
[15:04:03.366](0.005s) # checking current user domain
[15:04:03.372](0.006s) # current user domain is 'unconfined_t'
[15:04:03.373](0.000s) # checking selinux operating mode
[15:04:03.380](0.007s) # current operating mode is 'enforcing'
[15:04:03.380](0.000s) # checking for sepgsql-regtest policy
[15:04:03.387](0.007s) # checking whether policy is enabled
[15:04:03.391](0.005s) # sepgsql_regression_test_mode is 'off'
[15:04:03.392](0.000s) #
# The SELinux boolean 'sepgsql_regression_test_mode' must be
# turned on in order to enable the rules necessary to run the
# regression tests.
I poked around in the buildfarm client and was surprised to
find that the old TestSepgsql.pm module does in fact expect
to have sudo privileges, and it seems to install, enable,
and eventually remove the sepgsql-regtest kernel module.
I thought we were trying to get rid of that requirement though.
(For sure, you won't ever see me running the buildfarm
client under a sudo-capable account.) I think the new idea
is to leave the module installed and active, which is kind
of problematic if we want to also use TestSepgsql.pm in the
back branches.
I also don't quite understand how 001_sepgsql.pl's "checking for
sepgsql-regtest policy" test is passing if the previous
TestSepgsql.pm run removed that module ...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Masahiko Sawada | 2025-10-29 23:39:31 | Re: Add mode column to pg_stat_progress_vacuum |
| Previous Message | David E. Wheeler | 2025-10-29 23:13:32 | Re: abi-compliance-check failure due to recent changes to pg_{clear,restore}_{attribute,relation}_stats() |