Re: [v9.1] sepgsql - userspace access vector cache

> That's lame. I think we need to patch contrib/sepgsql so that it
> fails to build in that case, rather than building and then not
> working.
>
It might be the following fix, but I have no idea to generate an error when $(with_selinux) != "yes" on makefile.

diff --git a/contrib/sepgsql/Makefile b/contrib/sepgsql/Makefile
index 7f997ee..fec4f1a 100644
--- a/contrib/sepgsql/Makefile
+++ b/contrib/sepgsql/Makefile
@@ -19,6 +19,12 @@ include $(top_builddir)/src/Makefile.global
include $(top_srcdir)/contrib/contrib-global.mk
endif

+ifneq ($(with_selinux),yes)
+##
+## Error generation
+##
+endif
+
SHLIB_LINK += $(filter -lselinux, $(LIBS))
REGRESS_OPTS += --launcher $(top_builddir)/contrib/sepgsql/launcher

--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei(dot)kaigai(at)emea(dot)nec(dot)com>

> -----Original Message-----
> From: Robert Haas [mailto:robertmhaas(at)gmail(dot)com]
> Sent: 18. August 2011 17:53
> To: Kohei Kaigai
> Cc: Yeb Havinga; PgHacker; Kohei KaiGai
> Subject: Re: [HACKERS] [v9.1] sepgsql - userspace access vector cache
>
> On Thu, Aug 18, 2011 at 12:46 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> > On Thu, Jul 21, 2011 at 5:29 AM, Kohei Kaigai <Kohei(dot)Kaigai(at)emea(dot)nec(dot)com> wrote:
> >> The attached patch is revised userspace-avc patch.
> >>
> >> List of updates:
> >> - The GUC of sepgsql.avc_threshold was removed.
> >> - "char *ucontext" of avc_cache was replaced by "bool tcontext_is_valid".
> >> - Comments added onto static variables
> >> - Comments of sepgsql_avc_unlabeled() was revised.
> >> - Comments of sepgsql_avc_compute() was simplified.
> >> - Comments of sepgsql_avc_check_perms_label() also mention about
> >>  permissive domain, that performs similar to system's permissive mode.
> >> - selinux_status_close() become invoked on on_proc_exit() hook.
> >
> > I tried to give this a test drive today but got stuck.  I got sepgsql
> > compiled OK, but look what happens when I try to start the server:
> >
> > [rhaas(at)f15selinux ~]$ postgres
> > FATAL:  could not load library
> > "/home/rhaas/project/lib/postgresql/sepgsql.so":
> > /home/rhaas/project/lib/postgresql/sepgsql.so: undefined symbol:
> > getpeercon_raw
> >
> > This is Fedora 15, with all available updates applied.
>
> Oh. Apparently, this is what happens when you try to build sepgsql
> without passing --with-selinux to configure.
>
> That's lame. I think we need to patch contrib/sepgsql so that it
> fails to build in that case, rather than building and then not
> working.
>
> --
> Robert Haas
> EnterpriseDB: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>
>
> Click
> https://www.mailcontrol.com/sr/i+p!jARD6rnTndxI!oX7Uu+NqWBeKfvsxHen8ElqAIKK2vDQ5PIqETvu3D1VdIOLM1
> BV3YJKcc+1yubdBaCdqw== to report this email as spam.