On Fri, Jul 19, 2019 at 4:29 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
> > We probably need to polish this a bit more, but what do you think
> > about something similar to the attached patches? They should hopefully
> > reduce some of the complexity of running these regression tests.
>
> I can confirm that the 0001 patch fixes things on my Fedora 30 box.
> So that's good, though I don't know enough to evaluate it for style
> or anything like that.
I think the policy is in need of review/rewriting anyway. The proper
thing to do would be to create a common template for all of the
SELinux regtest user domains and create more of a hierarchical policy
to reduce redundancy. If you want to wait for more formal policy
updates, I can do that in my spare time. Otherwise, the patch I posted
should work with the general style of this policy module.
>
> I don't think I like the 0002 patch very much, because of its putting
> all the sudo actions into the script. I'd rather not give a script
> root permissions, thanks. Maybe I'm in the minority on that.
Definitely not. I cringed a little bit as I was making those
additions, but figured it was fine since it's just a test script (and
we have to run `sudo` for various other installation items as well).
> Also, since the documentation explicitly says that the
> /usr/share/selinux/devel/Makefile path is not to be relied on,
> why would we hard-wire it into the script?
>
> A bigger-picture issue is that right now, configuring a cluster for
> sepgsql is a very manual process (cf. section F.35.2). I think there's
> some advantage in forcing the user to run through that before running
> the regression test, namely that they'll get the bugs out of any
> misunderstandings or needed local changes. If we had that a bit more
> automated then maybe having the test script do-it-for-you would be
> sensible. (IOW, the fact that the test process is more like "make
> installcheck" than "make check" seems like a feature not a bug.)
Makes sense to me. Thanks for the feedback!
--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com