2011/9/26 Tom Lane <tgl@sss.pgh.pa.us>:
> Robert Haas <robertmhaas@gmail.com> writes:
>> On Mon, Sep 26, 2011 at 10:04 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> Another possibility is to remove the Makefile's knowledge of how to run
>>> the tests, and change chkselinuxenv into something that both verifies
>>> the environment and then launches the tests.
>
>> That's not a bad fix, either.
>
>> I have my doubts about the theory that we'll ever be able to make
>> these regression tests work without some kind of support within the
>> system security policy. The whole point of MAC, for better or for
>> worse, is to make every decision to allow access made anywhere in the
>> system subject to veto by the system security policy. I'd certainly
>> be happy to find out that there's a way to make it work the way you're
>> hoping, but I'm not expecting it. Now maybe you'll say that we should
>> then remove the regression tests altogether, but I don't think that
>> having no regression tests is better than having regression tests that
>> are a pain-in-the-tail to run and most people won't.
>
> The main point I'm on about here is that "make check" must not require
> root privileges. That is absolutely not negotiable (even if it were
> sane from a security standpoint, which is ridiculous anyway). I don't
> think "make installcheck" should require root either, although there
> might possibly be a little more wiggle room there. If it's infeasible
> to test sepgsql usefully without root involvement, then it can't be
> tested within the existing regression test framework. So maybe just
> pushing the issue out to a separate shell script that you can choose
> to invoke by hand is a reasonable compromise.
>
If so, is it an option that contrib/sepgsql/Makefile implement its own
regression test scheme? Even if it requires root/unconfined privilege
to set up test server automatically, it is harmless as long as these
are not launched with regular "make check/installchek".
> BTW, I think this line of argument also casts serious doubt on whether
> REGRESS_PREP is a useful concept at all. I'm more than half tempted to
> revert the patches that added that to the regression test
> infrastructure. Do we still need the --launcher option, either?
>
If contrib/sepgsql/Makefile implements its own tests including environment
checks, I think REGRESS_PREP is fungible. But --launcher option is necessary
to implement test schemes on the pg_regress.
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
