Re: contrib/sepgsql regression tests are a no-go

Robert Haas wrote:
> On Tue, Sep 27, 2011 at 6:30 PM, Tom Lane<tgl@sss.pgh.pa.us>  wrote:
<snip>
>>
>> If I have to break up the recipe with annotations like "run this part as
>> root" and then "these commands no longer need root", I don't think
>> that's going to be an improvement over either of the above.
>
> Fair enough, I'm not going to get bent out of shape about it.  There's
> some aesthetic value in the way you're proposing, and anyone who is
> doing this ought to know enough to make the details of how you write
> it out mostly irrelevant.
>

Long term a better option may be to use mocking to test policy 
enforcement without modifying the system policy.

I've used test-dept <http://code.google.com/p/test-dept/> on a couple 
projects and while it is a huge pain to get up and running it is very 
nice for mocking outside code (in this case libselinux calls) and 
getting predictable output to test your functionality. It would also let 
you run the tests on a non-SELinux system.

There are other c mocking frameworks, this is just the one I have 
experience with. test-dept might not be suitable for Postgres because it 
uses arch-specific awk scripts to munge symbol tables, and only supports 
x86, x86_64 and sparc right now.