Re: sepgsql contrib module

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> On Tue, Feb 15, 2011 at 11:01 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>>> Those are good points. My point was just that you can't actually
>>> build that file at the time you RUN the regression tests, because you
>>> have to build it first, then install it, then run the regression
>>> tests. It could be a separate target, like 'make policy', but I don't
>>> think it works to make it part of 'make installcheck'.

>> So? Once you admit that you can do that, it's a matter of a couple more
>> lines to make the installcheck target depend on the policy target iff
>> selinux was enabled.

> Sure, you could do that, but I don't see what problem it would fix.
> You'd still have to build and manually install the policy before you
> could run make installcheck. And once you've done that, you don't
> need to rebuild it every future time you run make installcheck.

Oh, I see: you're pointing out the root-only "semodule" step that has to
be done in between there. Good point. But the current arrangement is
still a mistake: the required contents of sepgsql-regtest.pp depend on
the configuration of the test system, which can't be known at build
time.

So what we should do is offer a "make policy" target and alter the test
instructions to say you should do that and then run semodule. Or maybe
just put the whole "make -f /usr/share/selinux/devel/Makefile" dance
into the instructions --- it doesn't look to me like our makefile
infrastructure really has anything useful to add to that.

regards, tom lane