Hannu Krosing wrote:
> On Tue, 2009-03-10 at 09:56 +0900, KaiGai Kohei wrote:
>> Joshua D. Drake wrote:
> ...
>>> Is there any possibility of having it be enabled at compile time? The
>>> default would be know but those distributions that would like to make
>>> use of it could?
>> It was the design a half year ago, but Bruce suggested me a certain
>> feature should not be enabled/disabled by compile time options,
>> except for library/platform dependency.
>>
>> In addition, he also suggested
>> a feature should be turned on/off by configuration option, because of
>> it enables to distribute a single binary for more wider users.
>>
>> SE-PostgreSQL need the libselinux to communicate the in-kernel SELinux.
>> So, --enable-selinux is necessary on compile time, it is fair enough.
>> If we omit it, all the sepgsqlXXXX() invocations are replaced by empty
>> macros.
>
> seems ok.
>
> Another option to disable it would be something similar to how we
> currently handle DTrace ?
DTrace uses Makefile to hack it.
I don't think it is a good example for me.
[src/backend/utils/Makefile]
probes.h: probes.d
ifeq ($(enable_dtrace), yes)
$(DTRACE) -C -h -s $< -o $...@.tmp
sed -e 's/POSTGRESQL_/TRACE_POSTGRESQL_/g' $...@.tmp >$@
rm $...@.tmp
else
sed -f $(srcdir)/Gen_dummy_probes.sed $< >$@
endif
Another example:
* POSIX fadvise
It puts #ifdef ... #endif block inside the functions, so it means
caller invokes an empty functions when POSIX fadvise is disabled.
int
FilePrefetch(File file, off_t offset, int amount)
{
#if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_WILLNEED)
int returnCode;
Assert(FileIsValid(file));
[snip]
return returnCode;
#else
Assert(FileIsValid(file));
return 0;
#endif
}
* LDAP
It put #ifdef .. #endif block both of implementations and caller
side, but the number of blocks are quite small.
Basically, I think many of #ifdef ... #endif blocks are noisy, so
the current manner (using empty macro) can keep the code clean.
But, I'll follows the manner if we have anything in this situation.
>> If we compile it with --enable-selinux, it has two working modes
>> controled by a guc option: sepostgresql (bool).
>> If it is disabled, all the sepgsqlXXXX() invocations returns at
>> the head of themself without doing anything.
>>
>> I believe this behavior follows the previous suggestion.
>
> Have you been able to measure any speed difference between
> --enable-selinux on and off ?
I don't have measurement on the current revision, so please wait for
a while to get it measured.
Previous measurement includes effects in row-level access controls:
http://kaigai.sblo.jp/article/20303941.html (01 Oct 2008)
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kai...@ak.jp.nec.com>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
