normally.
</para>
</sect2>
<sect2 id="sepgsql-regression">
<title>Regression Tests</title>
<para>
The <filename>sepgsql</filename> test suite is run if
<literal>PG_TEST_EXTRA</literal> contains <literal>sepgsql</literal> (see
<xref linkend="regress-additional"/>). This method is suitable during
development of <productname>PostgreSQL</productname>. Alternatively, there
is a way to run the tests to checks whether a database instance has been
set up properly for <literal>sepgsql</literal>.
</para>
<para>
Due to the nature of <productname>SELinux</productname>, running the
regression tests for <filename>sepgsql</filename> requires several extra
configuration steps, some of which must be done as root.
</para>
<para>
The manual tests must be run in the <filename>contrib/sepgsql</filename> directory
of a configured PostgreSQL build tree. Although they require a build tree,
the tests are designed to be executed against an installed server,
that is they are comparable to <literal>make installcheck</literal> not
<literal>make check</literal>.
</para>
<para>
First, set up <filename>sepgsql</filename> in a working database
according to the instructions in <xref linkend="sepgsql-installation"/>.
Note that the current operating system user must be able to connect to the
database as superuser without password authentication.
</para>
<para>
Second, build and install the policy package for the regression test.
The <filename>sepgsql-regtest</filename> policy is a special purpose policy package
which provides a set of rules to be allowed during the regression tests.
It should be built from the policy source file
<filename>sepgsql-regtest.te</filename>, which is done using
<command>make</command> with a Makefile supplied by SELinux.
You will need to locate the appropriate
Makefile on your system; the path shown below is only an example.
(This Makefile is usually supplied by the
<filename>selinux-policy-devel</filename> or
<filename>selinux-policy</filename> RPM.)
Once built, install this policy package using the
<command>semodule</command> command, which loads supplied policy packages
into the kernel. If the package is correctly installed,
<literal><command>semodule</command> -l</literal> should list <literal>sepgsql-regtest</literal> as an
available policy package:
</para>
<screen>
$ cd .../contrib/sepgsql
$ make -f /usr/share/selinux/devel/Makefile
$ sudo semodule -u sepgsql-regtest.pp
$ sudo semodule -l | grep sepgsql
sepgsql-regtest 1.07
</screen>
<para>
Third, turn on <literal>sepgsql_regression_test_mode</literal>.
For security reasons, the rules in <filename>sepgsql-regtest</filename>
are not enabled by default;
the <literal>sepgsql_regression_test_mode</literal> parameter enables
the rules needed to launch the regression tests.
It can be turned on using the <command>setsebool</command> command:
</para>
<screen>
$ sudo setsebool sepgsql_regression_test_mode on
$ getsebool sepgsql_regression_test_mode
sepgsql_regression_test_mode --> on
</screen>
<para>
Fourth, verify your shell is operating in the <literal>unconfined_t</literal>
domain:
</para>
<screen>
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
</screen>
<para>
See <xref linkend="sepgsql-resources"/> for details on adjusting your
working domain, if necessary.
</para>
<para>
Finally, run the regression test script:
</para>
<screen>
$ ./test_sepgsql
</screen>
<para>
This script will attempt to verify that you have done all the configuration
steps correctly, and then it will run the regression tests for the
<filename>sepgsql</filename> module.
</para>
<para>
After completing the tests, it's recommended you disable
the <literal>sepgsql_regression_test_mode</literal> parameter:
</para>
<screen>
$ sudo setsebool sepgsql_regression_test_mode off
</screen>
<para>