Re: sepgsql contrib module
От | Kohei Kaigai |
---|---|
Тема | Re: sepgsql contrib module |
Дата | |
Msg-id | A9F5079BABDEE646AEBDB6831725762C4205B977F3@EUEXCLU01.EU.NEC.COM обсуждение исходный текст |
Ответ на | Re: sepgsql contrib module (Robert Haas <robertmhaas@gmail.com>) |
Список | pgsql-hackers |
The attached patch removes rules to build a policy package for regression test and modifies documentation part to introduce steps to run the test. Thanks, -- NEC Europe Ltd, Global Competence Center KaiGai Kohei <kohei.kaigai@eu.nec.com> > -----Original Message----- > From: Kohei Kaigai > Sent: 15 February 2011 18:27 > To: 'Robert Haas'; Tom Lane > Cc: Andrew Dunstan; Stephen Frost; KaiGai Kohei; PgHacker > Subject: RE: [HACKERS] sepgsql contrib module > > > > > -----Original Message----- > > From: Robert Haas [mailto:robertmhaas@gmail.com] > > Sent: 15 February 2011 16:52 > > To: Tom Lane > > Cc: Andrew Dunstan; Kohei Kaigai; Stephen Frost; KaiGai Kohei; PgHacker > > Subject: Re: [HACKERS] sepgsql contrib module > > > > On Tue, Feb 15, 2011 at 11:41 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > Robert Haas <robertmhaas@gmail.com> writes: > > >> On Tue, Feb 15, 2011 at 11:01 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > >>> Robert Haas <robertmhaas@gmail.com> writes: > > >>>> Those are good points. My point was just that you can't actually > > >>>> build that file at the time you RUN the regression tests, because > you > > >>>> have to build it first, then install it, then run the regression > > >>>> tests. It could be a separate target, like 'make policy', but I > don't > > >>>> think it works to make it part of 'make installcheck'. > > > > > >>> So? Once you admit that you can do that, it's a matter of a couple > > more > > >>> lines to make the installcheck target depend on the policy target > iff > > >>> selinux was enabled. > > > > > >> Sure, you could do that, but I don't see what problem it would fix. > > >> You'd still have to build and manually install the policy before you > > >> could run make installcheck. And once you've done that, you don't > > >> need to rebuild it every future time you run make installcheck. > > > > > > Oh, I see: you're pointing out the root-only "semodule" step that has > > to > > > be done in between there. Good point. But the current arrangement > is > > > still a mistake: the required contents of sepgsql-regtest.pp depend > on > > > the configuration of the test system, which can't be known at build > > > time. > > > > > > So what we should do is offer a "make policy" target and alter the test > > > instructions to say you should do that and then run semodule. Or maybe > > > just put the whole "make -f /usr/share/selinux/devel/Makefile" dance > > > into the instructions --- it doesn't look to me like our makefile > > > infrastructure really has anything useful to add to that. > > > > Yeah, agreed. > > > I also agree with this direction. The policy type depends on individual > installations, > it is not easy to assume on build time. > Please wait for a small patch to remove this rule from Makefile and update > documentation. > > As a side note, we can have a build option that does not require selinux > enabled. > The reason why Makefile of selinux tries to /selinux/mls is that we don't > specify > MLS=1 or MLS=0 explicitly. > IIRC, the specfile of RHEL/Fedora gives all the Makefile parameters > explicitly, thus, > selinux does not need to be enabled on the build server. > However, it is not a solution in this case. It is not easy to estimate the > required > policy type and existence of MLS support on build time. > > Thanks, > -- > NEC Europe Ltd, Global Competence Center > KaiGai Kohei <kohei.kaigai@eu.nec.com>
Вложения
В списке pgsql-hackers по дате отправления:
Следующее
От: Lukas EderДата:
Сообщение: Re: Fwd: [JDBC] Weird issues when reading UDT from stored function