2015-03-12 1:27 GMT+09:00 Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>:
> Robert Haas wrote:
>> On Tue, Mar 10, 2015 at 6:58 PM, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
>> > ERRCODE_FEATURE_NOT_SUPPORTED is suitable error code here.
>> > Please see the attached one.
>>
>> Committed. I did not bother back-patching this, but I can do that if
>> people think it's important.
>
> I don't really care myself.
>
>> The sepgsql regression tests don't seem
>> to pass for me any more; I wonder if some expected-output changes are
>> needed as a result of core changes.
>> I'm guessing these tests are not running in an automated fashion anywhere?
>
> Oops, that's bad. I vaguely recall asking someone for a buildfarm
> animal running these tests, but I guess that didn't happen.
>
This regression test fail come from the base security policy of selinux.
In the recent selinux-policy package, "unconfined" domain was changed
to have unrestricted permission as literal. So, this test case relies multi-
category policy restricts unconfined domain, but its assumption is not
correct now.
The attached patch fixes the policy module of regression test.
However, I also think we may stop to rely permission set of pre-defined
selinux domains. Instead of pre-defined one, sepgsql-regtest.te may be
ought to define own domain with appropriate permission set independent
from the base selinux-policy version.
Please give me time to investigate.
Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>