Обсуждение: contrib/sepgsql regression tests have been broken for months

I tried to run contrib/sepgsql's regression tests today, and was
rather astonished when they failed.  Investigating, there are
some context lines like "LINE 1: ALTER TABLE regtest_table_4
ALTER COLUMN y TYPE float;" in the test output that were not there
before.  A bit of bisecting showed that the change happened with

65281391a937293db7fa747be218def0e9794550 is the first bad commit
commit 65281391a937293db7fa747be218def0e9794550 (HEAD)
Author: Michael Paquier <michael@paquier.xyz>
Date:   Mon Jan 27 13:51:23 2025 +0900

    Print out error position for some ALTER TABLE ALTER COLUMN type

So, okay, that's a perfectly respectable thing to do, and I can't
really fault Michael or Jian for not having tested its effects on
sepgsql.  But how come it took this long to notice?

I think that rhinoceros is the only BF member testing with
--with-selinux.  Looking at its logs, it is running the sepgsql tests
(as a custom module) in v17 and before, but not in v18 or HEAD.
I suppose that this is a consequence of trying to rely on the
TAP-test infrastructure that was installed by aeb8ea361 (just a few
days before the aforesaid change, as luck would have it).  That TAP
test does work for me, but it does not run on rhinoceros because
(1) there's no --enable-tap-tests in its configure command, and
(2) it doesn't set up environment variable PG_TEST_EXTRA to include
"sepgsql".

Anyway, we seem to need the attached in v18 and HEAD,
and we really ought to get BF coverage going again.

            regards, tom lane

diff --git a/contrib/sepgsql/expected/ddl.out b/contrib/sepgsql/expected/ddl.out
index 7e8deae4f93..accb903f5ce 100644
--- a/contrib/sepgsql/expected/ddl.out
+++ b/contrib/sepgsql/expected/ddl.out
@@ -304,6 +304,8 @@ ALTER TABLE regtest_table_4 ALTER COLUMN y TYPE float;
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=unconfined_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="regtest_schema" permissive=0 
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=system_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="public" permissive=0 
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=system_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="pg_catalog" permissive=0 
+LINE 1: ALTER TABLE regtest_table_4 ALTER COLUMN y TYPE float;
+                                                        ^
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=system_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="pg_catalog" permissive=0 
 LOG:  SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=unconfined_u:object_r:sepgsql_table_t:s0tclass=db_column name="regtest_schema.regtest_table_4.y" permissive=0 
 LOG:  SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=system_u:object_r:sepgsql_proc_exec_t:s0tclass=db_procedure name="pg_catalog.float8(integer)" permissive=0 
@@ -388,7 +390,11 @@ ALTER TABLE regtest_ptable_4 ALTER COLUMN y TYPE float;
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=unconfined_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="regtest_schema" permissive=0 
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=system_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="public" permissive=0 
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=system_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="pg_catalog" permissive=0 
+LINE 1: ALTER TABLE regtest_ptable_4 ALTER COLUMN y TYPE float;
+                                                         ^
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=system_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="pg_catalog" permissive=0 
+LINE 1: ALTER TABLE regtest_ptable_4 ALTER COLUMN y TYPE float;
+                                                         ^
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=system_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="pg_catalog" permissive=0 
 LOG:  SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=unconfined_u:object_r:sepgsql_table_t:s0tclass=db_column name="regtest_schema.regtest_ptable_4.y" permissive=0 
 LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0
tcontext=system_u:object_r:sepgsql_schema_t:s0tclass=db_schema name="pg_catalog" permissive=0 

On Thu, Oct 23, 2025 at 05:36:01PM -0400, Tom Lane wrote:
> So, okay, that's a perfectly respectable thing to do, and I can't
> really fault Michael or Jian for not having tested its effects on
> sepgsql.  But how come it took this long to notice?

Oops.  I would have taken care of that should I have known...  I check
the compilation of sepgsql, but the tests require dependencies that
are too heavy so it has always been some copy-paste operation when the
buildfarm got angry on this test suite (combined with hopes to not
break the tests).

> I think that rhinoceros is the only BF member testing with
> --with-selinux.

I recall so, yes.

> Anyway, we seem to need the attached in v18 and HEAD,
> and we really ought to get BF coverage going again.

Thanks for sending a patch (and 0758111f5d35)!
--
Michael

On 10/24/25 17:36, Tom Lane wrote:
> I think that rhinoceros is the only BF member testing with
> --with-selinux. 

Yes, as far as I know anyway.

> Looking at its logs, it is running the sepgsql tests (as a custom module) in
> v17 and before, but not in v18 or HEAD. I suppose that this is a consequence
> of trying to rely on the TAP-test infrastructure that was installed by
> aeb8ea361 (just a few days before the aforesaid change, as luck would have
> it).  That TAP test does work for me, but it does not run on rhinoceros
> because (1) there's no --enable-tap-tests in its configure command, and (2)
> it doesn't set up environment variable PG_TEST_EXTRA to include "sepgsql".
> 
> Anyway, we seem to need the attached in v18 and HEAD,
> and we really ought to get BF coverage going again.

I will make those changes (and hope nothing breaks).

-- 
Joe Conway
PostgreSQL Contributors Team
Amazon Web Services: https://aws.amazon.com

On 10/24/25 07:49, Joe Conway wrote:
> On 10/24/25 17:36, Tom Lane wrote:
>> Anyway, we seem to need the attached in v18 and HEAD,
>> and we really ought to get BF coverage going again.
> 
> I will make those changes (and hope nothing breaks).

And of course they did break :-(

Rhino is still running on RHEL 7.9 and it seems that needed perl RPMs are no 
longer in the yum repo. I will need some time to sort it out, but am on the road 
through the weekend, so it might be until sometime next week when I get enough 
'round tuits' to get it resolved.

-- 
Joe Conway
PostgreSQL Contributors Team
Amazon Web Services: https://aws.amazon.com

On 2025-Oct-23, Tom Lane wrote:

> I think that rhinoceros is the only BF member testing with
> --with-selinux.

As I recall, there is/was one other animal doing it, but I don't
remember which one it is.

-- 
Álvaro Herrera         PostgreSQL Developer  —  https://www.EnterpriseDB.com/