Re: sepgsql contrib module

> -----Original Message-----
> From: Robert Haas [mailto:robertmhaas(at)gmail(dot)com]
> Sent: 15 February 2011 16:52
> To: Tom Lane
> Cc: Andrew Dunstan; Kohei Kaigai; Stephen Frost; KaiGai Kohei; PgHacker
> Subject: Re: [HACKERS] sepgsql contrib module
>
> On Tue, Feb 15, 2011 at 11:41 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> >> On Tue, Feb 15, 2011 at 11:01 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >>> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> >>>> Those are good points.  My point was just that you can't actually
> >>>> build that file at the time you RUN the regression tests, because you
> >>>> have to build it first, then install it, then run the regression
> >>>> tests.  It could be a separate target, like 'make policy', but I don't
> >>>> think it works to make it part of 'make installcheck'.
> >
> >>> So?  Once you admit that you can do that, it's a matter of a couple
> more
> >>> lines to make the installcheck target depend on the policy target iff
> >>> selinux was enabled.
> >
> >> Sure, you could do that, but I don't see what problem it would fix.
> >> You'd still have to build and manually install the policy before you
> >> could run make installcheck.  And once you've done that, you don't
> >> need to rebuild it every future time you run make installcheck.
> >
> > Oh, I see: you're pointing out the root-only "semodule" step that has
> to
> > be done in between there.  Good point.  But the current arrangement is
> > still a mistake: the required contents of sepgsql-regtest.pp depend on
> > the configuration of the test system, which can't be known at build
> > time.
> >
> > So what we should do is offer a "make policy" target and alter the test
> > instructions to say you should do that and then run semodule.  Or maybe
> > just put the whole "make -f /usr/share/selinux/devel/Makefile" dance
> > into the instructions --- it doesn't look to me like our makefile
> > infrastructure really has anything useful to add to that.
>
> Yeah, agreed.
>
I also agree with this direction. The policy type depends on individual installations,
it is not easy to assume on build time.
Please wait for a small patch to remove this rule from Makefile and update documentation.

As a side note, we can have a build option that does not require selinux enabled.
The reason why Makefile of selinux tries to /selinux/mls is that we don't specify
MLS=1 or MLS=0 explicitly.
IIRC, the specfile of RHEL/Fedora gives all the Makefile parameters explicitly, thus,
selinux does not need to be enabled on the build server.
However, it is not a solution in this case. It is not easy to estimate the required
policy type and existence of MLS support on build time.

Thanks,
--
NEC Europe Ltd, Global Competence Center
KaiGai Kohei <kohei(dot)kaigai(at)eu(dot)nec(dot)com>