Re: contrib/sepgsql regression tests are a no-go

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> On Tue, Sep 27, 2011 at 3:39 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Accordingly, the attached patch does what I suggested above, namely dike
>> out the Makefile's knowledge of how to run the regression tests and put
>> it into the chkselinuxenv script.

> Seems fine. The rename is definitely needed. We may want to
> back-patch this into 9.1 to avoid the headache of dealing with this
> for 5 years.

I'm definitely gonna back-patch it, because otherwise I'll be carrying
it as a RHEL and Fedora patch for that long ;-)

>> I have not touched the documentation, either. One thing I'd like to do
>> is adjust both the SGML documentation and the hints printed by the
>> script to uniformly use "sudo ...root-privileged-command..." rather than
>> recommending use of "su".

> I think that's your own preference showing. How about just telling
> people to run the commands as root without specifying how they should
> accomplish that?

Well, maybe, but it seems hard to do without being verbose. If you just
say

$ sudo blah blah blah

the meaning is obvious (or if it isn't, you got no business playing with
SELinux anyway), and you can easily include, or not, the "sudo" part when
copying and pasting the command. Right now we've got things like

$ cd .../contrib/sepgsql
$ make -f /usr/share/selinux/devel/Makefile
$ su
# semodule -u sepgsql-regtest.pp
# semodule -l | grep sepgsql
sepgsql-regtest 1.03

What I'd prefer is

$ cd .../contrib/sepgsql
$ make -f /usr/share/selinux/devel/Makefile
$ sudo semodule -u sepgsql-regtest.pp
$ sudo semodule -l | grep sepgsql
sepgsql-regtest 1.03

If I have to break up the recipe with annotations like "run this part as
root" and then "these commands no longer need root", I don't think
that's going to be an improvement over either of the above.

regards, tom lane