Robert Haas wrote:
> On Tue, Sep 27, 2011 at 6:30 PM, Tom Lane<tgl@sss.pgh.pa.us> wrote:
<snip>
>>
>> If I have to break up the recipe with annotations like "run this part as
>> root" and then "these commands no longer need root", I don't think
>> that's going to be an improvement over either of the above.
>
> Fair enough, I'm not going to get bent out of shape about it. There's
> some aesthetic value in the way you're proposing, and anyone who is
> doing this ought to know enough to make the details of how you write
> it out mostly irrelevant.
>
Long term a better option may be to use mocking to test policy
enforcement without modifying the system policy.
I've used test-dept <http://code.google.com/p/test-dept/> on a couple
projects and while it is a huge pain to get up and running it is very
nice for mocking outside code (in this case libselinux calls) and
getting predictable output to test your functionality. It would also let
you run the tests on a non-SELinux system.
There are other c mocking frameworks, this is just the one I have
experience with. test-dept might not be suitable for Postgres because it
uses arch-specific awk scripts to munge symbol tables, and only supports
x86, x86_64 and sparc right now.