Robert Haas wrote:
On Tue, Sep 27, 2011 at 6:30 PM, Tom Lane<>  wrote:

If I have to break up the recipe with annotations like "run this part as
root" and then "these commands no longer need root", I don't think
that's going to be an improvement over either of the above.

Fair enough, I'm not going to get bent out of shape about it.  There's
some aesthetic value in the way you're proposing, and anyone who is
doing this ought to know enough to make the details of how you write
it out mostly irrelevant.

Long term a better option may be to use mocking to test policy enforcement without modifying the system policy.

I've used test-dept <> on a couple projects and while it is a huge pain to get up and running it is very nice for mocking outside code (in this case libselinux calls) and getting predictable output to test your functionality. It would also let you run the tests on a non-SELinux system.

There are other c mocking frameworks, this is just the one I have experience with. test-dept might not be suitable for Postgres because it uses arch-specific awk scripts to munge symbol tables, and only supports x86, x86_64 and sparc right now.

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to