Re: sepgsql contrib module

On Tue, Feb 15, 2011 at 11:41 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> On Tue, Feb 15, 2011 at 11:01 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>>>> Those are good points.  My point was just that you can't actually
>>>> build that file at the time you RUN the regression tests, because you
>>>> have to build it first, then install it, then run the regression
>>>> tests.  It could be a separate target, like 'make policy', but I don't
>>>> think it works to make it part of 'make installcheck'.
>
>>> So?  Once you admit that you can do that, it's a matter of a couple more
>>> lines to make the installcheck target depend on the policy target iff
>>> selinux was enabled.
>
>> Sure, you could do that, but I don't see what problem it would fix.
>> You'd still have to build and manually install the policy before you
>> could run make installcheck.  And once you've done that, you don't
>> need to rebuild it every future time you run make installcheck.
>
> Oh, I see: you're pointing out the root-only "semodule" step that has to
> be done in between there.  Good point.  But the current arrangement is
> still a mistake: the required contents of sepgsql-regtest.pp depend on
> the configuration of the test system, which can't be known at build
> time.
>
> So what we should do is offer a "make policy" target and alter the test
> instructions to say you should do that and then run semodule.  Or maybe
> just put the whole "make -f /usr/share/selinux/devel/Makefile" dance
> into the instructions --- it doesn't look to me like our makefile
> infrastructure really has anything useful to add to that.

Yeah, agreed.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company