Move security_label test

Rather than have the core security_label regression test depend on the
dummy_seclabel module, have that part of the test be executed by
dummy_seclabel itself directly.  This simplifies the testing rig a bit;
in particular it should silence the problems from the MSVC buildfarm
phylum, which haven't yet gotten taught how to install src/test/modules.

8 files changed, 268 insertions, 243 deletions

diff --git a/src/test/modules/dummy_seclabel/Makefile b/src/test/modules/dummy_seclabel/Makefile
index 909ac9ace72..41f50cc41ee 100644
--- a/src/test/modules/dummy_seclabel/Makefile
+++ b/src/test/modules/dummy_seclabel/Makefile
@@ -3,6 +3,8 @@
 MODULES = dummy_seclabel
 PGFILEDESC = "dummy_seclabel - regression testing of the SECURITY LABEL statement"
 
+REGRESS = dummy_seclabel
+
 ifdef USE_PGXS
 PG_CONFIG = pg_config
 PGXS := $(shell $(PG_CONFIG) --pgxs)
diff --git a/src/test/modules/dummy_seclabel/input/dummy_seclabel.source b/src/test/modules/dummy_seclabel/input/dummy_seclabel.source
new file mode 100644
index 00000000000..d39ce88aee9
--- /dev/null
+++ b/src/test/modules/dummy_seclabel/input/dummy_seclabel.source
@@ -0,0 +1,79 @@
+--
+-- Test for facilities of security label
+--
+LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
+
+-- initial setups
+SET client_min_messages TO 'warning';
+
+DROP ROLE IF EXISTS dummy_seclabel_user1;
+DROP ROLE IF EXISTS dummy_seclabel_user2;
+
+DROP TABLE IF EXISTS dummy_seclabel_tbl1;
+DROP TABLE IF EXISTS dummy_seclabel_tbl2;
+DROP TABLE IF EXISTS dummy_seclabel_tbl3;
+
+CREATE USER dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER dummy_seclabel_user2;
+
+CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
+CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
+CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
+CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN dummy_seclabel_domain AS text;
+
+ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1;
+ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2;
+
+RESET client_min_messages;
+
+--
+-- Test of SECURITY LABEL statement with a plugin
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';	-- fail
+SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
+SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified';	-- fail (not found)
+
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified';		-- fail
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
+
+--
+-- Test for shared database object
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified';			-- OK
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...';	-- fail
+SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified';	-- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified';	-- fail
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret';	-- fail (not superuser)
+SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified';	-- fail (not found)
+
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified';	-- fail (not privileged)
+
+RESET SESSION AUTHORIZATION;
+
+--
+-- Test for various types of object
+--
+RESET SESSION AUTHORIZATION;
+
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret';			-- OK
+SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified';			-- OK
+SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified';		-- OK
+SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified';		-- OK
+CREATE SCHEMA dummy_seclabel_test;
+SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified';		-- OK
+
+SELECT objtype, objname, provider, label FROM pg_seclabels
+	ORDER BY objtype, objname;
diff --git a/src/test/modules/dummy_seclabel/output/dummy_seclabel.source b/src/test/modules/dummy_seclabel/output/dummy_seclabel.source
new file mode 100644
index 00000000000..8275764cb9c
--- /dev/null
+++ b/src/test/modules/dummy_seclabel/output/dummy_seclabel.source
@@ -0,0 +1,87 @@
+--
+-- Test for facilities of security label
+--
+LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
+-- initial setups
+SET client_min_messages TO 'warning';
+DROP ROLE IF EXISTS dummy_seclabel_user1;
+DROP ROLE IF EXISTS dummy_seclabel_user2;
+DROP TABLE IF EXISTS dummy_seclabel_tbl1;
+DROP TABLE IF EXISTS dummy_seclabel_tbl2;
+DROP TABLE IF EXISTS dummy_seclabel_tbl3;
+CREATE USER dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER dummy_seclabel_user2;
+CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
+CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
+CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
+CREATE FUNCTION dummy_seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN dummy_seclabel_domain AS text;
+ALTER TABLE dummy_seclabel_tbl1 OWNER TO dummy_seclabel_user1;
+ALTER TABLE dummy_seclabel_tbl2 OWNER TO dummy_seclabel_user2;
+RESET client_min_messages;
+--
+-- Test of SECURITY LABEL statement with a plugin
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
+SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
+ERROR:  column name must be qualified
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';	-- fail
+ERROR:  '...invalid label...' is not a valid security label
+SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
+ERROR:  security label provider "unknown_seclabel" is not loaded
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
+ERROR:  must be owner of relation dummy_seclabel_tbl2
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
+ERROR:  only superuser can set 'secret' label
+SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified';	-- fail (not found)
+ERROR:  relation "dummy_seclabel_tbl3" does not exist
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified';		-- fail
+ERROR:  must be owner of relation dummy_seclabel_tbl1
+SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
+--
+-- Test for shared database object
+--
+SET SESSION AUTHORIZATION dummy_seclabel_user1;
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'classified';			-- OK
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS '...invalid label...';	-- fail
+ERROR:  '...invalid label...' is not a valid security label
+SECURITY LABEL FOR 'dummy' ON ROLE dummy_seclabel_user2 IS 'unclassified';	-- OK
+SECURITY LABEL FOR 'unknown_seclabel' ON ROLE dummy_seclabel_user1 IS 'unclassified';	-- fail
+ERROR:  security label provider "unknown_seclabel" is not loaded
+SECURITY LABEL ON ROLE dummy_seclabel_user1 IS 'secret';	-- fail (not superuser)
+ERROR:  only superuser can set 'secret' label
+SECURITY LABEL ON ROLE dummy_seclabel_user3 IS 'unclassified';	-- fail (not found)
+ERROR:  role "dummy_seclabel_user3" does not exist
+SET SESSION AUTHORIZATION dummy_seclabel_user2;
+SECURITY LABEL ON ROLE dummy_seclabel_user2 IS 'unclassified';	-- fail (not privileged)
+ERROR:  must have CREATEROLE privilege
+RESET SESSION AUTHORIZATION;
+--
+-- Test for various types of object
+--
+RESET SESSION AUTHORIZATION;
+SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'top secret';			-- OK
+SECURITY LABEL ON VIEW dummy_seclabel_view1 IS 'classified';			-- OK
+SECURITY LABEL ON FUNCTION dummy_seclabel_four() IS 'classified';		-- OK
+SECURITY LABEL ON DOMAIN dummy_seclabel_domain IS 'classified';		-- OK
+CREATE SCHEMA dummy_seclabel_test;
+SECURITY LABEL ON SCHEMA dummy_seclabel_test IS 'unclassified';		-- OK
+SELECT objtype, objname, provider, label FROM pg_seclabels
+	ORDER BY objtype, objname;
+ objtype  |        objname        | provider |    label     
+----------+-----------------------+----------+--------------
+ column   | dummy_seclabel_tbl1.a | dummy    | unclassified
+ domain   | dummy_seclabel_domain | dummy    | classified
+ function | dummy_seclabel_four() | dummy    | classified
+ role     | dummy_seclabel_user1  | dummy    | classified
+ role     | dummy_seclabel_user2  | dummy    | unclassified
+ schema   | dummy_seclabel_test   | dummy    | unclassified
+ table    | dummy_seclabel_tbl1   | dummy    | top secret
+ table    | dummy_seclabel_tbl2   | dummy    | classified
+ view     | dummy_seclabel_view1  | dummy    | classified
+(9 rows)
+
diff --git a/src/test/regress/GNUmakefile b/src/test/regress/GNUmakefile
index 77fe8b620d4..1832eccbd9c 100644
--- a/src/test/regress/GNUmakefile
+++ b/src/test/regress/GNUmakefile
@@ -101,9 +101,9 @@ installdirs-tests: installdirs
 	$(MKDIR_P)  $(patsubst $(srcdir)/%/,'$(DESTDIR)$(pkglibdir)/regress/%',$(sort $(dir $(regress_data_files))))
 
 
-# Get some extra C modules from contrib/spi and src/test/modules/dummy_seclabel...
+# Get some extra C modules from contrib/spi
 
-all: refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX)
+all: refint$(DLSUFFIX) autoinc$(DLSUFFIX)
 
 refint$(DLSUFFIX): $(top_builddir)/contrib/spi/refint$(DLSUFFIX)
 	cp $< $@
@@ -111,22 +111,14 @@ refint$(DLSUFFIX): $(top_builddir)/contrib/spi/refint$(DLSUFFIX)
 autoinc$(DLSUFFIX): $(top_builddir)/contrib/spi/autoinc$(DLSUFFIX)
 	cp $< $@
 
-dummy_seclabel$(DLSUFFIX): $(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX)
-	cp $< $@
-
 $(top_builddir)/contrib/spi/refint$(DLSUFFIX): | submake-contrib-spi ;
 
 $(top_builddir)/contrib/spi/autoinc$(DLSUFFIX): | submake-contrib-spi ;
 
-$(top_builddir)/src/test/modules/dummy_seclabel/dummy_seclabel$(DLSUFFIX): | submake-dummy_seclabel ;
-
 submake-contrib-spi:
 	$(MAKE) -C $(top_builddir)/contrib/spi
 
-submake-dummy_seclabel:
-	$(MAKE) -C $(top_builddir)/src/test/modules/dummy_seclabel
-
-.PHONY: submake-contrib-spi submake-dummy_seclabel
+.PHONY: submake-contrib-spi
 
 # Tablespace setup
 
@@ -179,7 +171,7 @@ bigcheck: all tablespace-setup
 
 clean distclean maintainer-clean: clean-lib
 # things built by `all' target
-	rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX) dummy_seclabel$(DLSUFFIX)
+	rm -f $(OBJS) refint$(DLSUFFIX) autoinc$(DLSUFFIX)
 	rm -f pg_regress_main.o pg_regress.o pg_regress$(X)
 # things created by various check targets
 	rm -f $(output_files) $(input_files)
diff --git a/src/test/regress/expected/security_label.out b/src/test/regress/expected/security_label.out
new file mode 100644
index 00000000000..10b062a355e
--- /dev/null
+++ b/src/test/regress/expected/security_label.out
@@ -0,0 +1,47 @@
+--
+-- Test for facilities of security label
+--
+-- initial setups
+SET client_min_messages TO 'warning';
+DROP ROLE IF EXISTS seclabel_user1;
+DROP ROLE IF EXISTS seclabel_user2;
+DROP TABLE IF EXISTS seclabel_tbl1;
+DROP TABLE IF EXISTS seclabel_tbl2;
+DROP TABLE IF EXISTS seclabel_tbl3;
+CREATE USER seclabel_user1 WITH CREATEROLE;
+CREATE USER seclabel_user2;
+CREATE TABLE seclabel_tbl1 (a int, b text);
+CREATE TABLE seclabel_tbl2 (x int, y text);
+CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
+CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN seclabel_domain AS text;
+ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
+ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
+RESET client_min_messages;
+--
+-- Test of SECURITY LABEL statement without a plugin
+--
+SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';			-- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified';		-- fail
+ERROR:  security label provider "dummy" is not loaded
+SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';		-- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';			-- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';			-- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified';		-- fail
+ERROR:  security label provider "dummy" is not loaded
+SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';		-- fail
+ERROR:  no security label providers have been loaded
+SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';			-- fail
+ERROR:  no security label providers have been loaded
+-- clean up objects
+DROP FUNCTION seclabel_four();
+DROP DOMAIN seclabel_domain;
+DROP VIEW seclabel_view1;
+DROP TABLE seclabel_tbl1;
+DROP TABLE seclabel_tbl2;
+DROP USER seclabel_user1;
+DROP USER seclabel_user2;
diff --git a/src/test/regress/input/security_label.source b/src/test/regress/input/security_label.source
deleted file mode 100644
index 287dd76ead1..00000000000
--- a/src/test/regress/input/security_label.source
+++ /dev/null
@@ -1,108 +0,0 @@
---
--- Test for facilities of security label
---
-
--- initial setups
-SET client_min_messages TO 'warning';
-
-DROP ROLE IF EXISTS seclabel_user1;
-DROP ROLE IF EXISTS seclabel_user2;
-
-DROP TABLE IF EXISTS seclabel_tbl1;
-DROP TABLE IF EXISTS seclabel_tbl2;
-DROP TABLE IF EXISTS seclabel_tbl3;
-
-CREATE USER seclabel_user1 WITH CREATEROLE;
-CREATE USER seclabel_user2;
-
-CREATE TABLE seclabel_tbl1 (a int, b text);
-CREATE TABLE seclabel_tbl2 (x int, y text);
-CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
-CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
-CREATE DOMAIN seclabel_domain AS text;
-
-ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
-ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
-
-RESET client_min_messages;
-
---
--- Test of SECURITY LABEL statement without a plugin
---
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';			-- fail
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified';		-- fail
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';		-- fail
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';			-- fail
-
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';			-- fail
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified';		-- fail
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';		-- fail
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';			-- fail
-
--- Load dummy external security provider
-LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
-
---
--- Test of SECURITY LABEL statement with a plugin
---
-SET SESSION AUTHORIZATION seclabel_user1;
-
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';			-- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified';		-- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified';	-- fail
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';	-- fail
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified';	-- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified';	-- fail
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret';		-- fail (not superuser)
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';	-- fail (not found)
-
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified';		-- fail
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified';			-- OK
-
---
--- Test for shared database object
---
-SET SESSION AUTHORIZATION seclabel_user1;
-
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';			-- OK
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';	-- fail
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified';	-- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified';	-- fail
-SECURITY LABEL ON ROLE seclabel_user1 IS 'secret';	-- fail (not superuser)
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';	-- fail (not found)
-
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified';	-- fail (not privileged)
-
-RESET SESSION AUTHORIZATION;
-
---
--- Test for various types of object
---
-RESET SESSION AUTHORIZATION;
-
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret';			-- OK
-SECURITY LABEL ON VIEW seclabel_view1 IS 'classified';			-- OK
-SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified';		-- OK
-SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified';		-- OK
-CREATE SCHEMA seclabel_test;
-SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified';		-- OK
-
-SELECT objtype, objname, provider, label FROM pg_seclabels
-	ORDER BY objtype, objname;
-
--- clean up objects
-DROP FUNCTION seclabel_four();
-DROP DOMAIN seclabel_domain;
-DROP VIEW seclabel_view1;
-DROP TABLE seclabel_tbl1;
-DROP TABLE seclabel_tbl2;
-DROP USER seclabel_user1;
-DROP USER seclabel_user2;
-DROP SCHEMA seclabel_test;
-
--- make sure we don't have any leftovers
-SELECT objtype, objname, provider, label FROM pg_seclabels
-	ORDER BY objtype, objname;
diff --git a/src/test/regress/output/security_label.source b/src/test/regress/output/security_label.source
deleted file mode 100644
index 0e202446ab6..00000000000
--- a/src/test/regress/output/security_label.source
+++ /dev/null
@@ -1,123 +0,0 @@
---
--- Test for facilities of security label
---
--- initial setups
-SET client_min_messages TO 'warning';
-DROP ROLE IF EXISTS seclabel_user1;
-DROP ROLE IF EXISTS seclabel_user2;
-DROP TABLE IF EXISTS seclabel_tbl1;
-DROP TABLE IF EXISTS seclabel_tbl2;
-DROP TABLE IF EXISTS seclabel_tbl3;
-CREATE USER seclabel_user1 WITH CREATEROLE;
-CREATE USER seclabel_user2;
-CREATE TABLE seclabel_tbl1 (a int, b text);
-CREATE TABLE seclabel_tbl2 (x int, y text);
-CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
-CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
-CREATE DOMAIN seclabel_domain AS text;
-ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
-ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
-RESET client_min_messages;
---
--- Test of SECURITY LABEL statement without a plugin
---
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';			-- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified';		-- fail
-ERROR:  security label provider "dummy" is not loaded
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';		-- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';			-- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';			-- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified';		-- fail
-ERROR:  security label provider "dummy" is not loaded
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';		-- fail
-ERROR:  no security label providers have been loaded
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';			-- fail
-ERROR:  no security label providers have been loaded
--- Load dummy external security provider
-LOAD '@libdir@/dummy_seclabel@DLSUFFIX@';
---
--- Test of SECURITY LABEL statement with a plugin
---
-SET SESSION AUTHORIZATION seclabel_user1;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';			-- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1.a IS 'unclassified';		-- OK
-SECURITY LABEL ON COLUMN seclabel_tbl1 IS 'unclassified';	-- fail
-ERROR:  column name must be qualified
-SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';	-- fail
-ERROR:  '...invalid label...' is not a valid security label
-SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'unclassified';	-- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON TABLE seclabel_tbl1 IS 'classified';	-- fail
-ERROR:  security label provider "unknown_seclabel" is not loaded
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
-ERROR:  must be owner of relation seclabel_tbl2
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'secret';		-- fail (not superuser)
-ERROR:  only superuser can set 'secret' label
-SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';	-- fail (not found)
-ERROR:  relation "seclabel_tbl3" does not exist
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'unclassified';		-- fail
-ERROR:  must be owner of relation seclabel_tbl1
-SECURITY LABEL ON TABLE seclabel_tbl2 IS 'classified';			-- OK
---
--- Test for shared database object
---
-SET SESSION AUTHORIZATION seclabel_user1;
-SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';			-- OK
-SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';	-- fail
-ERROR:  '...invalid label...' is not a valid security label
-SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user2 IS 'unclassified';	-- OK
-SECURITY LABEL FOR 'unknown_seclabel' ON ROLE seclabel_user1 IS 'unclassified';	-- fail
-ERROR:  security label provider "unknown_seclabel" is not loaded
-SECURITY LABEL ON ROLE seclabel_user1 IS 'secret';	-- fail (not superuser)
-ERROR:  only superuser can set 'secret' label
-SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';	-- fail (not found)
-ERROR:  role "seclabel_user3" does not exist
-SET SESSION AUTHORIZATION seclabel_user2;
-SECURITY LABEL ON ROLE seclabel_user2 IS 'unclassified';	-- fail (not privileged)
-ERROR:  must have CREATEROLE privilege
-RESET SESSION AUTHORIZATION;
---
--- Test for various types of object
---
-RESET SESSION AUTHORIZATION;
-SECURITY LABEL ON TABLE seclabel_tbl1 IS 'top secret';			-- OK
-SECURITY LABEL ON VIEW seclabel_view1 IS 'classified';			-- OK
-SECURITY LABEL ON FUNCTION seclabel_four() IS 'classified';		-- OK
-SECURITY LABEL ON DOMAIN seclabel_domain IS 'classified';		-- OK
-CREATE SCHEMA seclabel_test;
-SECURITY LABEL ON SCHEMA seclabel_test IS 'unclassified';		-- OK
-SELECT objtype, objname, provider, label FROM pg_seclabels
-	ORDER BY objtype, objname;
- objtype  |     objname     | provider |    label     
-----------+-----------------+----------+--------------
- column   | seclabel_tbl1.a | dummy    | unclassified
- domain   | seclabel_domain | dummy    | classified
- function | seclabel_four() | dummy    | classified
- role     | seclabel_user1  | dummy    | classified
- role     | seclabel_user2  | dummy    | unclassified
- schema   | seclabel_test   | dummy    | unclassified
- table    | seclabel_tbl1   | dummy    | top secret
- table    | seclabel_tbl2   | dummy    | classified
- view     | seclabel_view1  | dummy    | classified
-(9 rows)
-
--- clean up objects
-DROP FUNCTION seclabel_four();
-DROP DOMAIN seclabel_domain;
-DROP VIEW seclabel_view1;
-DROP TABLE seclabel_tbl1;
-DROP TABLE seclabel_tbl2;
-DROP USER seclabel_user1;
-DROP USER seclabel_user2;
-DROP SCHEMA seclabel_test;
--- make sure we don't have any leftovers
-SELECT objtype, objname, provider, label FROM pg_seclabels
-	ORDER BY objtype, objname;
- objtype | objname | provider | label 
----------+---------+----------+-------
-(0 rows)
-
diff --git a/src/test/regress/sql/security_label.sql b/src/test/regress/sql/security_label.sql
new file mode 100644
index 00000000000..7f545896ef5
--- /dev/null
+++ b/src/test/regress/sql/security_label.sql
@@ -0,0 +1,49 @@
+--
+-- Test for facilities of security label
+--
+
+-- initial setups
+SET client_min_messages TO 'warning';
+
+DROP ROLE IF EXISTS seclabel_user1;
+DROP ROLE IF EXISTS seclabel_user2;
+
+DROP TABLE IF EXISTS seclabel_tbl1;
+DROP TABLE IF EXISTS seclabel_tbl2;
+DROP TABLE IF EXISTS seclabel_tbl3;
+
+CREATE USER seclabel_user1 WITH CREATEROLE;
+CREATE USER seclabel_user2;
+
+CREATE TABLE seclabel_tbl1 (a int, b text);
+CREATE TABLE seclabel_tbl2 (x int, y text);
+CREATE VIEW seclabel_view1 AS SELECT * FROM seclabel_tbl2;
+CREATE FUNCTION seclabel_four() RETURNS integer AS $$SELECT 4$$ language sql;
+CREATE DOMAIN seclabel_domain AS text;
+
+ALTER TABLE seclabel_tbl1 OWNER TO seclabel_user1;
+ALTER TABLE seclabel_tbl2 OWNER TO seclabel_user2;
+
+RESET client_min_messages;
+
+--
+-- Test of SECURITY LABEL statement without a plugin
+--
+SECURITY LABEL ON TABLE seclabel_tbl1 IS 'classified';			-- fail
+SECURITY LABEL FOR 'dummy' ON TABLE seclabel_tbl1 IS 'classified';		-- fail
+SECURITY LABEL ON TABLE seclabel_tbl1 IS '...invalid label...';		-- fail
+SECURITY LABEL ON TABLE seclabel_tbl3 IS 'unclassified';			-- fail
+
+SECURITY LABEL ON ROLE seclabel_user1 IS 'classified';			-- fail
+SECURITY LABEL FOR 'dummy' ON ROLE seclabel_user1 IS 'classified';		-- fail
+SECURITY LABEL ON ROLE seclabel_user1 IS '...invalid label...';		-- fail
+SECURITY LABEL ON ROLE seclabel_user3 IS 'unclassified';			-- fail
+
+-- clean up objects
+DROP FUNCTION seclabel_four();
+DROP DOMAIN seclabel_domain;
+DROP VIEW seclabel_view1;
+DROP TABLE seclabel_tbl1;
+DROP TABLE seclabel_tbl2;
+DROP USER seclabel_user1;
+DROP USER seclabel_user2;