Re: sepgsql contrib module
От | Kohei Kaigai |
---|---|
Тема | Re: sepgsql contrib module |
Дата | |
Msg-id | A9F5079BABDEE646AEBDB6831725762C4205B974B3@EUEXCLU01.EU.NEC.COM обсуждение исходный текст |
Ответ на | Re: sepgsql contrib module (Robert Haas <robertmhaas@gmail.com>) |
Список | pgsql-hackers |
> -----Original Message----- > From: Robert Haas [mailto:robertmhaas@gmail.com] > Sent: 15 February 2011 16:52 > To: Tom Lane > Cc: Andrew Dunstan; Kohei Kaigai; Stephen Frost; KaiGai Kohei; PgHacker > Subject: Re: [HACKERS] sepgsql contrib module > > On Tue, Feb 15, 2011 at 11:41 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Robert Haas <robertmhaas@gmail.com> writes: > >> On Tue, Feb 15, 2011 at 11:01 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > >>> Robert Haas <robertmhaas@gmail.com> writes: > >>>> Those are good points. My point was just that you can't actually > >>>> build that file at the time you RUN the regression tests, because you > >>>> have to build it first, then install it, then run the regression > >>>> tests. It could be a separate target, like 'make policy', but I don't > >>>> think it works to make it part of 'make installcheck'. > > > >>> So? Once you admit that you can do that, it's a matter of a couple > more > >>> lines to make the installcheck target depend on the policy target iff > >>> selinux was enabled. > > > >> Sure, you could do that, but I don't see what problem it would fix. > >> You'd still have to build and manually install the policy before you > >> could run make installcheck. And once you've done that, you don't > >> need to rebuild it every future time you run make installcheck. > > > > Oh, I see: you're pointing out the root-only "semodule" step that has > to > > be done in between there. Good point. But the current arrangement is > > still a mistake: the required contents of sepgsql-regtest.pp depend on > > the configuration of the test system, which can't be known at build > > time. > > > > So what we should do is offer a "make policy" target and alter the test > > instructions to say you should do that and then run semodule. Or maybe > > just put the whole "make -f /usr/share/selinux/devel/Makefile" dance > > into the instructions --- it doesn't look to me like our makefile > > infrastructure really has anything useful to add to that. > > Yeah, agreed. > I also agree with this direction. The policy type depends on individual installations, it is not easy to assume on build time. Please wait for a small patch to remove this rule from Makefile and update documentation. As a side note, we can have a build option that does not require selinux enabled. The reason why Makefile of selinux tries to /selinux/mls is that we don't specify MLS=1 or MLS=0 explicitly. IIRC, the specfile of RHEL/Fedora gives all the Makefile parameters explicitly, thus, selinux does not need to be enabled on the build server. However, it is not a solution in this case. It is not easy to estimate the required policy type and existence of MLS support on build time. Thanks, -- NEC Europe Ltd, Global Competence Center KaiGai Kohei <kohei.kaigai@eu.nec.com>
В списке pgsql-hackers по дате отправления: