sepgsql

label-based mandatory access control (MAC) based on SELinux security policy.

https://www.postgresql.org/docs/current/sepgsql.html

Overview

Package	Version	Category	License	Language
`sepgsql`	`-`	SEC	PostgreSQL	C

ID	Extension	Bin	Lib	Load	Create	Trust	Reloc	Schema
7960	`sepgsql`	No	Yes	Yes	No	No	No	-

Related	`pg_readonly` `pg_permissions` `set_user` `noset` `pgaudit` `credcheck` `login_hook` `passwordcheck_cracklib`

Version

PG18	PG17	PG16	PG15	PG14
-	-	-	-	-

Install

Note: This is a built-in contrib extension of PostgreSQL

Usage

sepgsql: SELinux label-based mandatory access control for PostgreSQL

sepgsql provides label-based mandatory access control (MAC) based on SELinux security policy. It adds an extra layer of security checking above PostgreSQL’s standard SQL permissions.

Configuration Parameters

Parameter	Default	Description
`sepgsql.permissive`	`off`	Enable permissive mode regardless of system SELinux settings
`sepgsql.debug_audit`	`off`	Force all possible logging regardless of policy

Functions

Function	Returns	Description
`sepgsql_getcon()`	`text`	Get current client security label
`sepgsql_setcon(text)`	`boolean`	Switch client domain to new label (NULL to revert)
`sepgsql_mcstrans_in(text)`	`text`	Translate qualified MLS/MCS range to raw format
`sepgsql_mcstrans_out(text)`	`text`	Translate raw MLS/MCS range to qualified format
`sepgsql_restorecon(text)`	`boolean`	Set initial security labels for all objects in database

Security Labels

Security labels can be assigned to schemas, tables, columns, sequences, views, and functions:

SECURITY LABEL ON COLUMN customer.credit
    IS 'system_u:object_r:sepgsql_secret_table_t:s0';

Dynamic Domain Transitions

SELECT sepgsql_getcon();
-- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0-s0:c1.c4');
-- t

Trusted Procedures

-- Create function to access sensitive data with masking
CREATE FUNCTION show_credit(int) RETURNS text
    AS 'SELECT regexp_replace(credit, ''-[0-9]+$'', ''-xxxx'', ''g'')
         FROM customer WHERE cid = $1'
    LANGUAGE sql;

-- Mark as trusted procedure
SECURITY LABEL ON FUNCTION show_credit(int)
    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';

Permission Classes

DML operations check: db_table:{select|insert|update|delete} and db_column:{select|update|insert}. DDL operations check: create, drop, setattr, add_name, remove_name. Schema access requires: db_schema:search.

Feedback

Was this page helpful?

Thanks for the feedback! Please let us know how we can improve.

Sorry to hear that. Please let us know how we can improve.

Last Modified 2026-03-12: add pg extension catalog (95749bf)