I've been trying to figure out selinux with sepgsql (which is proving quite difficult as there is an almost total lack of documentation/blogs etc. on the topic) and ran into an issue. Whilst my system had selinux in enforcing mode, I mistakenly had sepgsql in permissive mode. I created a table and restricted access to one column to regular users using the label system_u:object_r:sepgsql_secret_table_t:s0. Because sepgsql was in permissive mode, my test user could still access the restricted column.
That's very confusing, because the norm in selinux is to log denials as if the system were in enforcing mode, but then allow the action to proceed anyway, when in permissive mode. For example, log entries such as this are created when my restricted user tries to run an executable from /tmp after running "setsebool -P user_exec_content off":
The point being to let the admin know what would fail if the system were switched to enforcing mode. Whilst that wasn't the point of what I was trying to do, such a message would have indicated to me that I was in permissive mode without realising.
It seems to me that sepgsql should also log the denial, but flag that permissive mode is on.
