sepgsql, an SE-Linux integration for PostgreSQL

This is still pretty rough - among other things, the documentation needs work, and the messages need a visit from the style police - but this gets the basic framework in place. KaiGai Kohei

sepgsql, an SE-Linux integration for PostgreSQL
This is still pretty rough - among other things, the documentation needs work, and the messages need a visit from the style police - but this gets the basic framework in place. KaiGai Kohei
968bc6fa · Robert Haas · e5487f65 · 968bc6fa · 968bc6fa · 968bc6fa
Commit 968bc6fa authored Jan 23, 2011 by Robert Haas
30 changed files
--- a/configure
+++ b/configure
@@ -715,6 +715,7 @@ with_libxslt
 with_libxml
 XML2_CONFIG
 with_ossp_uuid
+with_selinux
 with_openssl
 with_bonjour
 with_ldap
@@ -837,6 +838,7 @@ with_pam
 with_ldap
 with_bonjour
 with_openssl
+with_selinux
 with_readline
 with_libedit_preferred
 with_ossp_uuid
@@ -848,6 +850,7 @@ with_gnu_ld
 enable_largefile
 enable_float4_byval
 enable_float8_byval
+enable_float8_byval
 '
      ac_precious_vars='build_alias
 host_alias
@@ -858,6 +861,7 @@ LDFLAGS
 LIBS
 CPPFLAGS
 CPP
+CPPFLAGS
 LDFLAGS_EX
 LDFLAGS_SL
 DOCBOOKSTYLE'
@@ -1533,6 +1537,7 @@ Optional Packages:
  --with-ldap             build with LDAP support
  --with-bonjour          build with Bonjour support
  --with-openssl          build with OpenSSL support
+  --with-selinux          build with SELinux support
  --without-readline      do not use GNU Readline nor BSD Libedit for editing
  --with-libedit-preferred
                          prefer BSD Libedit over GNU Readline
@@ -5364,6 +5369,40 @@ fi
 $as_echo "$with_openssl" >&6; }


+#
+# SELinux
+#
+{ $as_echo "$as_me:$LINENO: checking whether to build with SELinux support" >&5
+$as_echo_n "checking whether to build with SELinux support... " >&6; }
+
+
+
+# Check whether --with-selinux was given.
+if test "${with_selinux+set}" = set; then
+  withval=$with_selinux;
+  case $withval in
+    yes)
+      :
+      ;;
+    no)
+      :
+      ;;
+    *)
+      { { $as_echo "$as_me:$LINENO: error: no argument expected for --with-selinux option" >&5
+$as_echo "$as_me: error: no argument expected for --with-selinux option" >&2;}
+   { (exit 1); exit 1; }; }
+      ;;
+  esac
+
+else
+  with_selinux=no
+
+fi
+
+
+
+{ $as_echo "$as_me:$LINENO: result: $with_selinux" >&5
+$as_echo "$with_selinux" >&6; }

 #
 # Readline
@@ -9291,6 +9330,89 @@ fi

 fi

+# for contrib/sepgsql
+if test "$with_selinux" = yes; then
+
+{ $as_echo "$as_me:$LINENO: checking for getpeercon_raw in -lselinux" >&5
+$as_echo_n "checking for getpeercon_raw in -lselinux... " >&6; }
+if test "${ac_cv_lib_selinux_getpeercon_raw+set}" = set; then
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lselinux  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char getpeercon_raw ();
+int
+main ()
+{
+return getpeercon_raw ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+	 test "$cross_compiling" = yes ||
+	 $as_test_x conftest$ac_exeext
+       }; then
+  ac_cv_lib_selinux_getpeercon_raw=yes
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_selinux_getpeercon_raw=no
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_getpeercon_raw" >&5
+$as_echo "$ac_cv_lib_selinux_getpeercon_raw" >&6; }
+if test "x$ac_cv_lib_selinux_getpeercon_raw" = x""yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSELINUX 1
+_ACEOF
+
+  LIBS="-lselinux $LIBS"
+
+else
+  { { $as_echo "$as_me:$LINENO: error: library 'libselinux' is required for SELinux support" >&5
+$as_echo "$as_me: error: library 'libselinux' is required for SELinux support" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+fi
+
 # for contrib/uuid-ossp
 if test "$with_ossp_uuid" = yes ; then
  { $as_echo "$as_me:$LINENO: checking for uuid_export in -lossp-uuid" >&5

--- a/configure.in
+++ b/configure.in
@@ -676,6 +676,13 @@ PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support],
 AC_MSG_RESULT([$with_openssl])
 AC_SUBST(with_openssl)

+#
+# SELinux
+#
+AC_MSG_CHECKING([whether to build with SELinux support])
+PGAC_ARG_BOOL(with, selinux, no, [build with SELinux support])
+AC_SUBST(with_selinux)
+AC_MSG_RESULT([$with_selinux])

 #
 # Readline
@@ -948,6 +955,12 @@ if test "$with_libxslt" = yes ; then
  AC_CHECK_LIB(xslt, xsltCleanupGlobals, [], [AC_MSG_ERROR([library 'xslt' is required for XSLT support])])
 fi

+# for contrib/sepgsql
+if test "$with_selinux" = yes; then
+  AC_CHECK_LIB(selinux, getpeercon_raw, [],
+               [AC_MSG_ERROR([library 'libselinux' is required for SELinux support])])
+fi
+
 # for contrib/uuid-ossp
 if test "$with_ossp_uuid" = yes ; then
  AC_CHECK_LIB(ossp-uuid, uuid_export,

--- a/contrib/Makefile
+++ b/contrib/Makefile
@@ -61,6 +61,10 @@ ifeq ($(with_libxml),yes)
 SUBDIRS += xml2
 endif

+ifeq ($(with_selinux),yes)
+SUBDIRS += sepgsql
+endif
+
 # Missing:
 #		start-scripts	\ (does not have a makefile)


--- a/contrib/README
+++ b/contrib/README
@@ -163,6 +163,10 @@ seg -
 	Confidence-interval datatype (GiST indexing example)
 	by Gene Selkov, Jr. <selkovjr@mcs.anl.gov>

+sepgsql -
+	External security provider using SELinux
+	by KaiGai Kohei <kaigai@ak.jp.nec.com>
+
 spi -
 	Various trigger functions, examples for using SPI.


--- a/contrib/sepgsql/.gitignore
+++ b/contrib/sepgsql/.gitignore
+/sepgsql.sql
--- a/contrib/sepgsql/Makefile
+++ b/contrib/sepgsql/Makefile
+# contrib/sepgsql/Makefile
+
+MODULE_big = sepgsql
+OBJS = hooks.o selinux.o label.o dml.o \
+	schema.o relation.o proc.o
+DATA_built = sepgsql.sql sepgsql-regtest.pp
+REGRESS = label dml misc
+EXTRA_CLEAN = -r tmp *.pp sepgsql-regtest.if sepgsql-regtest.fc
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/sepgsql
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
+
+SHLIB_LINK += $(filter -lselinux, $(LIBS))
+REGRESS_OPTS += --launcher $(top_builddir)/contrib/sepgsql/launcher
+
+sepgsql-regtest.pp: sepgsql-regtest.te
+	$(MAKE) -f $(DESTDIR)/usr/share/selinux/devel/Makefile $@
--- a/contrib/sepgsql/dml.c
+++ b/contrib/sepgsql/dml.c
+/* -------------------------------------------------------------------------
+ *
+ * contrib/sepgsql/dml.c
+ *
+ * Routines to handle DML permission checks
+ *
+ * Copyright (c) 2010-2011, PostgreSQL Global Development Group
+ *
+ * -------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include "access/sysattr.h"
+#include "access/tupdesc.h"
+#include "catalog/catalog.h"
+#include "catalog/heap.h"
+#include "catalog/pg_attribute.h"
+#include "catalog/pg_class.h"
+#include "catalog/pg_inherits_fn.h"
+#include "commands/seclabel.h"
+#include "commands/tablecmds.h"
+#include "executor/executor.h"
+#include "nodes/bitmapset.h"
+#include "utils/lsyscache.h"
+#include "utils/syscache.h"
+
+#include "sepgsql.h"
+
+/*
+ * fixup_whole_row_references
+ *
+ * When user reference a whole of row, it is equivalent to reference to
+ * all the user columns (not system columns). So, we need to fix up the
+ * given bitmapset, if it contains a whole of the row reference.
+ */
+static Bitmapset *
+fixup_whole_row_references(Oid relOid, Bitmapset *columns)
+{
+	Bitmapset  *result;
+	HeapTuple	tuple;
+	AttrNumber	natts;
+	AttrNumber	attno;
+	int			index;
+
+	/* if no whole of row references, do not anything */
+	index = InvalidAttrNumber - FirstLowInvalidHeapAttributeNumber;
+	if (!bms_is_member(index, columns))
+		return columns;
+
+	/* obtain number of attributes */
+	tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relOid));
+	if (!HeapTupleIsValid(tuple))
+		elog(ERROR, "cache lookup failed for relation %u", relOid);
+	natts = ((Form_pg_class) GETSTRUCT(tuple))->relnatts;
+	ReleaseSysCache(tuple);
+
+	/* fix up the given columns */
+	result = bms_copy(columns);
+	result = bms_del_member(result, index);
+
+	for (attno=1; attno <= natts; attno++)
+	{
+		tuple = SearchSysCache2(ATTNUM,
+								ObjectIdGetDatum(relOid),
+								Int16GetDatum(attno));
+		if (!HeapTupleIsValid(tuple))
+			continue;
+
+		if (((Form_pg_attribute) GETSTRUCT(tuple))->attisdropped)
+			continue;
+
+		index = attno - FirstLowInvalidHeapAttributeNumber;
+
+		result = bms_add_member(result, index);
+
+		ReleaseSysCache(tuple);
+	}
+	return result;
+}
+
+/*
+ * fixup_inherited_columns
+ *
+ * When user is querying on a table with children, it implicitly accesses
+ * child tables also. So, we also need to check security label of child
+ * tables and columns, but here is no guarantee attribute numbers are
+ * same between the parent ans children.
+ * It returns a bitmapset which contains attribute number of the child
+ * table based on the given bitmapset of the parent.
+ */
+static Bitmapset *
+fixup_inherited_columns(Oid parentId, Oid childId, Bitmapset *columns)
+{
+	AttrNumber	attno;
+	Bitmapset  *tmpset;
+	Bitmapset  *result = NULL;
+	char	   *attname;
+	int			index;
+
+	/*
+	 * obviously, no need to do anything here
+	 */
+	if (parentId == childId)
+		return columns;
+
+	tmpset = bms_copy(columns);
+	while ((index = bms_first_member(tmpset)) > 0)
+	{
+		attno = index + FirstLowInvalidHeapAttributeNumber;
+		/*
+		 * whole-row-reference shall be fixed-up later
+		 */
+		if (attno == InvalidAttrNumber)
+		{
+			result = bms_add_member(result, index);
+			continue;
+		}
+
+		attname = get_attname(parentId, attno);
+		if (!attname)
+			elog(ERROR, "cache lookup failed for attribute %d of relation %u",
+				 attno, parentId);
+		attno = get_attnum(childId, attname);
+		if (attno == InvalidAttrNumber)
+			elog(ERROR, "cache lookup failed for attribute %s of relation %u",
+				 attname, childId);
+
+		index = attno - FirstLowInvalidHeapAttributeNumber;
+		result = bms_add_member(result, index);
+
+		pfree(attname);
+	}
+	bms_free(tmpset);
+
+	return result;
+}
+
+/*
+ * check_relation_privileges
+ *
+ * It actually checks required permissions on a certain relation
+ * and its columns.
+ */
+static bool
+check_relation_privileges(Oid relOid,
+						  Bitmapset *selected,
+						  Bitmapset *modified,
+						  uint32 required,
+						  bool abort)
+{
+	char		relkind = get_rel_relkind(relOid);
+	char	   *scontext = sepgsql_get_client_label();
+	char	   *tcontext;
+	Bitmapset  *columns;
+	int			index;
+	bool		result = true;
+
+	/*
+	 * Hardwired Policies:
+	 * SE-PostgreSQL enforces
+	 * - clients cannot modify system catalogs using DMLs
+	 * - clients cannot reference/modify toast relations using DMLs
+	 */
+	if (sepgsql_getenforce() > 0)
+	{
+		Oid		relnamespace = get_rel_namespace(relOid);
+
+		if (IsSystemNamespace(relnamespace) &&
+			(required & (SEPG_DB_TABLE__UPDATE |
+						 SEPG_DB_TABLE__INSERT |
+						 SEPG_DB_TABLE__DELETE)) != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("selinux: hardwired security policy violation")));
+
+		if (relkind == RELKIND_TOASTVALUE)
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("selinux: hardwired security policy violation")));
+	}
+
+	/*
+	 * Check permissions on the relation
+	 */
+	tcontext = sepgsql_get_label(RelationRelationId, relOid, 0);
+	switch (relkind)
+	{
+		case RELKIND_RELATION:
+			result = sepgsql_check_perms(scontext,
+										 tcontext,
+										 SEPG_CLASS_DB_TABLE,
+										 required,
+										 get_rel_name(relOid),
+										 abort);
+			if (!result)
+				return false;
+			break;
+
+		case RELKIND_SEQUENCE:
+			Assert((required & ~SEPG_DB_TABLE__SELECT) == 0);
+
+			if (required & SEPG_DB_TABLE__SELECT)
+				result = sepgsql_check_perms(scontext,
+											 tcontext,
+											 SEPG_CLASS_DB_SEQUENCE,
+											 SEPG_DB_SEQUENCE__GET_VALUE,
+											 get_rel_name(relOid),
+											 abort);
+			return result;
+
+		case RELKIND_VIEW:
+			result = sepgsql_check_perms(scontext,
+										 tcontext,
+										 SEPG_CLASS_DB_VIEW,
+										 SEPG_DB_VIEW__EXPAND,
+										 get_rel_name(relOid),
+										 abort);
+			return result;
+
+		default:
+			/* nothing to be checked */
+			return true;
+	}
+
+	/*
+	 * Check permissions on the columns
+	 */
+	selected = fixup_whole_row_references(relOid, selected);
+	modified = fixup_whole_row_references(relOid, modified);
+	columns = bms_union(selected, modified);
+
+	while ((index = bms_first_member(columns)) >= 0)
+	{
+		AttrNumber	attnum;
+		uint32		column_perms = 0;
+		char		audit_name[NAMEDATALEN * 2 + 10];
+
+		if (bms_is_member(index, selected))
+			column_perms |= SEPG_DB_COLUMN__SELECT;
+		if (bms_is_member(index, modified))
+		{
+			if (required & SEPG_DB_TABLE__UPDATE)
+				column_perms |= SEPG_DB_COLUMN__UPDATE;
+			if (required & SEPG_DB_TABLE__INSERT)
+				column_perms |= SEPG_DB_COLUMN__INSERT;
+		}
+		if (column_perms == 0)
+			continue;
+
+		/* obtain column's permission */
+		attnum = index + FirstLowInvalidHeapAttributeNumber;
+		tcontext = sepgsql_get_label(RelationRelationId, relOid, attnum);
+		snprintf(audit_name, sizeof(audit_name), "%s.%s",
+				 get_rel_name(relOid), get_attname(relOid, attnum));
+
+		result = sepgsql_check_perms(scontext,
+									 tcontext,
+									 SEPG_CLASS_DB_COLUMN,
+									 column_perms,
+									 audit_name,
+									 abort);
+		if (!result)
+			return result;
+	}
+	return true;
+}
+
+/*
+ * sepgsql_dml_privileges
+ *
+ * Entrypoint of the DML permission checks
+ */
+bool
+sepgsql_dml_privileges(List *rangeTabls, bool abort)
+{
+	ListCell   *lr;
+
+	foreach (lr, rangeTabls)
+	{
+		RangeTblEntry  *rte = lfirst(lr);
+		uint32			required = 0;
+		List		   *tableIds;
+		ListCell	   *li;
+
+		/*
+		 * Only regular relations shall be checked
+		 */
+		if (rte->rtekind != RTE_RELATION)
+			continue;
+
+		/*
+		 * Find out required permissions
+		 */
+		if (rte->requiredPerms & ACL_SELECT)
+			required |= SEPG_DB_TABLE__SELECT;
+		if (rte->requiredPerms & ACL_INSERT)
+			required |= SEPG_DB_TABLE__INSERT;
+		if (rte->requiredPerms & ACL_UPDATE)
+		{
+			if (!bms_is_empty(rte->modifiedCols))
+				required |= SEPG_DB_TABLE__UPDATE;
+			else
+				required |= SEPG_DB_TABLE__LOCK;
+		}
+		if (rte->requiredPerms & ACL_DELETE)
+			required |= SEPG_DB_TABLE__DELETE;
+
+		/*
+		 * Skip, if nothing to be checked
+		 */
+		if (required == 0)
+			continue;
+
+		/*
+		 * If this RangeTblEntry is also supposed to reference inherited
+		 * tables, we need to check security label of the child tables.
+		 * So, we expand rte->relid into list of OIDs of inheritance
+		 * hierarchy, then checker routine will be invoked for each
+		 * relations.
+		 */
+		if (!rte->inh)
+			tableIds = list_make1_oid(rte->relid);
+		else
+			tableIds = find_all_inheritors(rte->relid, NoLock, NULL);
+
+		foreach (li, tableIds)
+		{
+			Oid			tableOid = lfirst_oid(li);
+			Bitmapset  *selectedCols;
+			Bitmapset  *modifiedCols;
+
+			/*
+			 * child table has different attribute numbers, so we need
+			 * to fix up them.
+			 */
+			selectedCols = fixup_inherited_columns(rte->relid, tableOid,
+												   rte->selectedCols);
+			modifiedCols = fixup_inherited_columns(rte->relid, tableOid,
+												   rte->modifiedCols);
+
+			/*
+			 * check permissions on individual tables
+			 */
+			if (!check_relation_privileges(tableOid,
+										   selectedCols,
+										   modifiedCols,
+										   required, abort))
+				return false;
+		}
+		list_free(tableIds);
+	}
+	return true;
+}
--- a/contrib/sepgsql/expected/dml.out
+++ b/contrib/sepgsql/expected/dml.out
+--
+-- Regression Test for DML Permissions
+--
+--
+-- Setup
+--
+CREATE TABLE t1 (a int, b text);
+SECURITY LABEL ON TABLE t1 IS 'system_u:object_r:sepgsql_table_t:s0';
+INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
+CREATE TABLE t2 (x int, y text);
+SECURITY LABEL ON TABLE t2 IS 'system_u:object_r:sepgsql_ro_table_t:s0';
+INSERT INTO t2 VALUES (1, 'xxx'), (2, 'yyy'), (3, 'zzz');
+CREATE TABLE t3 (s int, t text);
+SECURITY LABEL ON TABLE t3 IS 'system_u:object_r:sepgsql_fixed_table_t:s0';
+INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
+CREATE TABLE t4 (m int, n text);
+SECURITY LABEL ON TABLE t4 IS 'system_u:object_r:sepgsql_secret_table_t:s0';
+INSERT INTO t4 VALUES (1, 'mmm'), (2, 'nnn'), (3, 'ooo');
+CREATE TABLE t5 (e text, f text, g text);
+SECURITY LABEL ON TABLE t5 IS 'system_u:object_r:sepgsql_table_t:s0';
+SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0';
+SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0';
+SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0';
+CREATE TABLE customer (cid int primary key, cname text, ccredit text);
+NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "customer_pkey" for table "customer"
+SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0';
+INSERT INTO customer VALUES (1, 'Taro',   '1111-2222-3333-4444'),
+                            (2, 'Hanako', '5555-6666-7777-8888');
+CREATE FUNCTION customer_credit(int) RETURNS text
+    AS 'SELECT regexp_replace(ccredit, ''-[0-9]+$'', ''-????'') FROM customer WHERE cid = $1'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION customer_credit(int)
+    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+SELECT objtype, objname, label FROM pg_seclabels
+    WHERE provider = 'selinux'
+     AND  objtype in ('table', 'column')
+     AND  objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g');
+ objtype | objname |                    label                    
+---------+---------+---------------------------------------------
+ table   | t1      | system_u:object_r:sepgsql_table_t:s0
+ table   | t2      | system_u:object_r:sepgsql_ro_table_t:s0
+ table   | t3      | system_u:object_r:sepgsql_fixed_table_t:s0
+ table   | t4      | system_u:object_r:sepgsql_secret_table_t:s0
+ table   | t5      | system_u:object_r:sepgsql_table_t:s0
+ column  | t5.g    | system_u:object_r:sepgsql_secret_table_t:s0
+ column  | t5.f    | system_u:object_r:sepgsql_ro_table_t:s0
+ column  | t5.e    | system_u:object_r:sepgsql_table_t:s0
+(8 rows)
+
+-- Hardwired Rules
+UPDATE pg_attribute SET attisdropped = true
+    WHERE attrelid = 't5'::regclass AND attname = 'f';	-- failed
+ERROR:  selinux: hardwired security policy violation
+--
+-- Simple DML statements
+--
+SELECT sepgsql_getcon();	-- confirm client privilege
+                   sepgsql_getcon                    
+-----------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
+(1 row)
+
+SELECT * FROM t1;			-- ok
+ a |  b  
+---+-----
+ 1 | aaa
+ 2 | bbb
+ 3 | ccc
+(3 rows)
+
+SELECT * FROM t2;			-- ok
+ x |  y  
+---+-----
+ 1 | xxx
+ 2 | yyy
+ 3 | zzz
+(3 rows)
+
+SELECT * FROM t3;			-- ok
+ s |  t  
+---+-----
+ 1 | sss
+ 2 | ttt
+ 3 | uuu
+(3 rows)
+
+SELECT * FROM t4;			-- failed
+ERROR:  SELinux: security policy violation
+SELECT * FROM t5;			-- failed
+ERROR:  SELinux: security policy violation
+SELECT e,f FROM t5;			-- ok
+ e | f 
+---+---
+(0 rows)
+
+SELECT * FROM customer;			-- failed
+ERROR:  SELinux: security policy violation
+SELECT cid, cname, customer_credit(cid) FROM customer;	-- ok
+ cid | cname  |   customer_credit   
+-----+--------+---------------------
+   1 | Taro   | 1111-2222-3333-????
+   2 | Hanako | 5555-6666-7777-????
+(2 rows)
+
+SELECT count(*) FROM t5;			-- ok
+ count 
+-------
+     0
+(1 row)
+
+SELECT count(*) FROM t5 WHERE g IS NULL;	-- failed
+ERROR:  SELinux: security policy violation
+INSERT INTO t1 VALUES (4, 'abc');		-- ok
+INSERT INTO t2 VALUES (4, 'xyz');		-- failed
+ERROR:  SELinux: security policy violation
+INSERT INTO t3 VALUES (4, 'stu');		-- ok
+INSERT INTO t4 VALUES (4, 'mno');		-- failed
+ERROR:  SELinux: security policy violation
+INSERT INTO t5 VALUES (1,2,3);			-- failed
+ERROR:  SELinux: security policy violation
+INSERT INTO t5 (e,f) VALUES ('abc', 'def');	-- failed
+ERROR:  SELinux: security policy violation
+INSERT INTO t5 (e) VALUES ('abc');		-- ok
+UPDATE t1 SET b = b || '_upd';			-- ok
+UPDATE t2 SET y = y || '_upd';			-- failed
+ERROR:  SELinux: security policy violation
+UPDATE t3 SET t = t || '_upd';			-- failed
+ERROR:  SELinux: security policy violation
+UPDATE t4 SET n = n || '_upd';			-- failed
+ERROR:  SELinux: security policy violation
+UPDATE t5 SET e = 'xyz';			-- ok
+UPDATE t5 SET e = f || '_upd';			-- ok
+UPDATE t5 SET e = g || '_upd';			-- failed
+ERROR:  SELinux: security policy violation
+DELETE FROM t1;					-- ok
+DELETE FROM t2;					-- failed
+ERROR:  SELinux: security policy violation
+DELETE FROM t3;					-- failed
+ERROR:  SELinux: security policy violation
+DELETE FROM t4;					-- failed
+ERROR:  SELinux: security policy violation
+DELETE FROM t5;					-- ok
+DELETE FROM t5 WHERE f IS NULL;			-- ok
+DELETE FROM t5 WHERE g IS NULL;			-- failed
+ERROR:  SELinux: security policy violation
+--
+-- COPY TO/FROM statements
+--
+COPY t1 TO '/dev/null';				-- ok
+COPY t2 TO '/dev/null';				-- ok
+COPY t3 TO '/dev/null';				-- ok
+COPY t4 TO '/dev/null';				-- failed
+ERROR:  SELinux: security policy violation
+COPY t5 TO '/dev/null';				-- failed
+ERROR:  SELinux: security policy violation
+COPY t5(e,f) TO '/dev/null';			-- ok
+COPY t1 FROM '/dev/null';			-- ok
+COPY t2 FROM '/dev/null';			-- failed
+ERROR:  SELinux: security policy violation
+COPY t3 FROM '/dev/null';			-- ok
+COPY t4 FROM '/dev/null';			-- failed
+ERROR:  SELinux: security policy violation
+COPY t5 FROM '/dev/null';			-- failed
+ERROR:  SELinux: security policy violation
+COPY t5 (e,f) FROM '/dev/null';			-- failed
+ERROR:  SELinux: security policy violation
+COPY t5 (e) FROM '/dev/null';			-- ok
+--
+-- Clean up
+--
+SELECT sepgsql_getcon();	-- confirm client privilege
+                    sepgsql_getcon                    
+------------------------------------------------------
+ unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
+(1 row)
+
+DROP TABLE IF EXISTS t1 CASCADE;
+DROP TABLE IF EXISTS t2 CASCADE;
+DROP TABLE IF EXISTS t3 CASCADE;
+DROP TABLE IF EXISTS t4 CASCADE;
+DROP TABLE IF EXISTS t5 CASCADE;
+DROP TABLE IF EXISTS customer CASCADE;
--- a/contrib/sepgsql/expected/label.out
+++ b/contrib/sepgsql/expected/label.out
+--
+-- Regression Tests for Label Management
+--
+--
+-- Setup
+--
+CREATE TABLE t1 (a int, b text);
+INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
+SELECT * INTO t2 FROM t1 WHERE a % 2 = 0;
+CREATE FUNCTION f1 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+CREATE FUNCTION f2 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f2()
+    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+CREATE FUNCTION f3 () RETURNS text
+    AS 'BEGIN
+          RAISE EXCEPTION ''an exception from f3()'';
+          RETURN NULL;
+        END;' LANGUAGE plpgsql;
+SECURITY LABEL ON FUNCTION f3()
+    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+--
+-- Tests for default labeling behavior
+--
+SELECT sepgsql_getcon();	-- confirm client privilege
+                   sepgsql_getcon                    
+-----------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
+(1 row)
+
+CREATE TABLE t3 (s int, t text);
+INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
+SELECT objtype, objname, label FROM pg_seclabels
+    WHERE provider = 'selinux'
+     AND  objtype in ('table', 'column')
+     AND  objname in ('t1', 't2', 't3');
+ objtype | objname |                     label                     
+---------+---------+-----------------------------------------------
+ table   | t1      | unconfined_u:object_r:sepgsql_table_t:s0
+ table   | t2      | unconfined_u:object_r:sepgsql_table_t:s0
+ table   | t3      | unconfined_u:object_r:user_sepgsql_table_t:s0
+(3 rows)
+
+--
+-- Tests for SECURITY LABEL
+--
+SELECT sepgsql_getcon();	-- confirm client privilege
+                   sepgsql_getcon                   
+----------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0
+(1 row)
+
+SECURITY LABEL ON TABLE t1
+    IS 'system_u:object_r:sepgsql_ro_table_t:s0';	-- ok
+SECURITY LABEL ON TABLE t2
+    IS 'invalid seuciryt context';			-- be failed
+ERROR:  invalid security label: "invalid seuciryt context"
+SECURITY LABEL ON COLUMN t2
+    IS 'system_u:object_r:sepgsql_ro_table_t:s0';	-- be failed
+ERROR:  improper relation name (too many dotted names): 
+SECURITY LABEL ON COLUMN t2.b
+    IS 'system_u:object_r:sepgsql_ro_table_t:s0';	-- ok
+--
+-- Tests for Trusted Procedures
+--
+SELECT sepgsql_getcon();	-- confirm client privilege
+                   sepgsql_getcon                    
+-----------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
+(1 row)
+
+SELECT f1();			-- normal procedure
+                         f1                          
+-----------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
+(1 row)
+
+SELECT f2();			-- trusted procedure
+                         f2                          
+-----------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_trusted_proc_t:s0
+(1 row)
+
+SELECT f3();			-- trusted procedure that raises an error
+ERROR:  an exception from f3()
+SELECT sepgsql_getcon();	-- client's label must be restored
+                   sepgsql_getcon                    
+-----------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
+(1 row)
+
+--
+-- Clean up
+--
+SELECT sepgsql_getcon();	-- confirm client privilege
+                    sepgsql_getcon                    
+------------------------------------------------------
+ unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
+(1 row)
+
+DROP TABLE IF EXISTS t1 CASCADE;
+DROP TABLE IF EXISTS t2 CASCADE;
+DROP TABLE IF EXISTS t3 CASCADE;
+DROP FUNCTION IF EXISTS f1() CASCADE;
+DROP FUNCTION IF EXISTS f2() CASCADE;
+DROP FUNCTION IF EXISTS f3() CASCADE;
--- a/contrib/sepgsql/expected/misc.out
+++ b/contrib/sepgsql/expected/misc.out
+--
+-- Regression Test for Misc Permission Checks
+--
+LOAD '$libdir/sepgsql';		-- failed
+ERROR:  SELinux: LOAD is not allowed anyway.
--- a/contrib/sepgsql/hooks.c
+++ b/contrib/sepgsql/hooks.c
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
--- a/contrib/sepgsql/launcher
+++ b/contrib/sepgsql/launcher
+#!/bin/sh
+#
+# A wrapper script to launch psql command in regression test
+#
+# Copyright (c) 2010-2011, PostgreSQL Global Development Group
+#
+# -------------------------------------------------------------------------
+
+if [ $# -lt 1 ]; then
+    echo "usage: `basename $0` <command> [options...]"
+    exit 1
+fi
+
+RUNCON=`which runcon`
+if [ ! -e "$RUNCON" ]; then
+    echo "runcon command is not found"
+    exit 1
+fi
+
+#
+# Read SQL from stdin
+#
+TEMP=`mktemp`
+CONTEXT=""
+
+while IFS='\\n' read LINE
+do
+    if echo "$LINE" | grep -q "^-- @SECURITY-CONTEXT="; then
+        if [ -s "$TEMP" ]; then
+            if [ -n "$CONTEXT" ]; then
+                "$RUNCON" "$CONTEXT" $* < "$TEMP"
+            else
+                $* < $TEMP
+            fi
+            truncate -s0 $TEMP
+        fi
+        CONTEXT=`echo "$LINE" | sed 's/^-- @SECURITY-CONTEXT=//g'`
+        LINE="SELECT sepgsql_getcon();	-- confirm client privilege"
+    fi
+    echo "$LINE" >> $TEMP
+done
+
+if [ -s "$TEMP" ]; then
+    if [ -n "$CONTEXT" ]; then
+        "$RUNCON" "$CONTEXT" $* < "$TEMP"
+    else
+        $* < $TEMP
+    fi
+fi
+
+# cleanup temp file
+rm -f $TEMP
--- a/contrib/sepgsql/proc.c
+++ b/contrib/sepgsql/proc.c
+/* -------------------------------------------------------------------------
+ *
+ * contrib/sepgsql/proc.c
+ *
+ * Routines corresponding to procedure objects
+ *
+ * Copyright (c) 2010-2011, PostgreSQL Global Development Group
+ *
+ * -------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include "access/genam.h"
+#include "access/heapam.h"
+#include "access/sysattr.h"
+#include "catalog/indexing.h"
+#include "catalog/pg_namespace.h"
+#include "catalog/pg_proc.h"
+#include "commands/seclabel.h"
+#include "utils/fmgroids.h"
+#include "utils/lsyscache.h"
+#include "utils/tqual.h"
+
+#include "sepgsql.h"
+
+/*
+ * sepgsql_proc_post_create
+ *
+ * This routine assigns a default security label on a newly defined
+ * procedure.
+ */
+void
+sepgsql_proc_post_create(Oid functionId)
+{
+	Relation		rel;
+	ScanKeyData		skey;
+	SysScanDesc		sscan;
+	HeapTuple		tuple;
+	Oid				namespaceId;
+	ObjectAddress	object;
+	char		   *scontext;
+	char		   *tcontext;
+	char		   *ncontext;
+
+	/*
+	 * Fetch namespace of the new procedure. Because pg_proc entry is not
+	 * visible right now, we need to scan the catalog using SnapshotSelf.
+	 */
+	rel = heap_open(ProcedureRelationId, AccessShareLock);
+
+	ScanKeyInit(&skey,
+				ObjectIdAttributeNumber,
+				BTEqualStrategyNumber, F_OIDEQ,
+				ObjectIdGetDatum(functionId));
+
+	sscan = systable_beginscan(rel, ProcedureOidIndexId, true,
+							   SnapshotSelf, 1, &skey);
+
+	tuple = systable_getnext(sscan);
+	if (!HeapTupleIsValid(tuple))
+		elog(ERROR, "catalog lookup failed for proc %u", functionId);
+
+	namespaceId = ((Form_pg_proc) GETSTRUCT(tuple))->pronamespace;
+
+	systable_endscan(sscan);
+	heap_close(rel, AccessShareLock);
+
+	/*
+	 * Compute a default security label when we create a new procedure
+	 * object under the specified namespace.
+	 */
+	scontext = sepgsql_get_client_label();
+	tcontext = sepgsql_get_label(NamespaceRelationId, namespaceId, 0);
+	ncontext = sepgsql_compute_create(scontext, tcontext,
+									  SEPG_CLASS_DB_PROCEDURE);
+
+	/*
+	 * Assign the default security label on a new procedure
+	 */
+	object.classId = ProcedureRelationId;
+	object.objectId = functionId;
+	object.objectSubId = 0;
+	SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
+
+	pfree(tcontext);
+	pfree(ncontext);
+}
+
+/*
+ * sepgsql_proc_relabel
+ *
+ * It checks privileges to relabel the supplied function
+ * by the `seclabel'.
+ */
+void
+sepgsql_proc_relabel(Oid functionId, const char *seclabel)
+{
+	char	   *scontext = sepgsql_get_client_label();
+	char	   *tcontext;
+	char	   *audit_name;
+
+	audit_name = get_func_name(functionId);
+
+	/*
+	 * check db_procedure:{setattr relabelfrom} permission
+	 */
+	tcontext = sepgsql_get_label(ProcedureRelationId, functionId, 0);
+	sepgsql_check_perms(scontext,
+						tcontext,
+						SEPG_CLASS_DB_PROCEDURE,
+						SEPG_DB_PROCEDURE__SETATTR |
+						SEPG_DB_PROCEDURE__RELABELFROM,
+						audit_name,
+						true);
+	pfree(tcontext);
+
+	/*
+	 * check db_procedure:{relabelto} permission
+	 */
+	sepgsql_check_perms(scontext,
+						seclabel,
+						SEPG_CLASS_DB_PROCEDURE,
+						SEPG_DB_PROCEDURE__RELABELTO,
+						audit_name,
+						true);
+	pfree(audit_name);
+}
+
+/*
+ * sepgsql_proc_get_domtrans
+ *
+ * It computes security label of the client that shall be applied when
+ * the current client invokes the supplied function.
+ * This computed label is either same or different from the current one.
+ * If security policy informed the function is a trusted-procedure,
+ * we need to switch security label of the client during execution of
+ * the function.
+ *
+ * Also note that the translated label shall be allocated using palloc().
+ * So, need to switch memory context, if you want to hold the string in
+ * someone except for CurrentMemoryContext.
+ */
+char *
+sepgsql_proc_get_domtrans(Oid functionId)
+{
+	char   *scontext = sepgsql_get_client_label();
+	char   *tcontext;
+	char   *ncontext;
+
+	tcontext = sepgsql_get_label(ProcedureRelationId, functionId, 0);
+
+	ncontext = sepgsql_compute_create(scontext,
+									  tcontext,
+									  SEPG_CLASS_PROCESS);
+	pfree(tcontext);
+
+	return ncontext;
+}
--- a/contrib/sepgsql/relation.c
+++ b/contrib/sepgsql/relation.c
+/* -------------------------------------------------------------------------
+ *
+ * contrib/sepgsql/label.c
+ *
+ * Routines corresponding to relation/attribute objects
+ *
+ * Copyright (c) 2010-2011, PostgreSQL Global Development Group
+ *
+ * -------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include "access/genam.h"
+#include "access/heapam.h"
+#include "access/sysattr.h"
+#include "catalog/indexing.h"
+#include "catalog/pg_attribute.h"
+#include "catalog/pg_class.h"
+#include "catalog/pg_namespace.h"
+#include "commands/seclabel.h"
+#include "utils/fmgroids.h"
+#include "utils/lsyscache.h"
+#include "utils/tqual.h"
+
+#include "sepgsql.h"
+
+/*
+ * sepgsql_attribute_post_create
+ *
+ * This routine assigns a default security label on a newly defined
+ * column, using ALTER TABLE ... ADD COLUMN.
+ * Note that this routine is not invoked in the case of CREATE TABLE,
+ * although it also defines columns in addition to table.
+ */
+void
+sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
+{
+	char		   *scontext = sepgsql_get_client_label();
+	char		   *tcontext;
+	char		   *ncontext;
+	ObjectAddress	object;
+
+	/*
+	 * Only attributes within regular relation have individual
+	 * security labels.
+	 */
+	if (get_rel_relkind(relOid) != RELKIND_RELATION)
+		return;
+
+	/*
+	 * Compute a default security label when we create a new procedure
+	 * object under the specified namespace.
+	 */
+	scontext = sepgsql_get_client_label();
+	tcontext = sepgsql_get_label(RelationRelationId, relOid, 0);
+	ncontext = sepgsql_compute_create(scontext, tcontext,
+									  SEPG_CLASS_DB_COLUMN);
+	/*
+	 * Assign the default security label on a new procedure
+	 */
+	object.classId = RelationRelationId;
+	object.objectId = relOid;
+	object.objectSubId = attnum;
+	SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
+
+	pfree(tcontext);
+	pfree(ncontext);
+}
+
+/*
+ * sepgsql_attribute_relabel
+ *
+ * It checks privileges to relabel the supplied column
+ * by the `seclabel'.
+ */
+void
+sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
+						  const char *seclabel)
+{
+	char	   *scontext = sepgsql_get_client_label();
+	char	   *tcontext;
+	char		audit_name[NAMEDATALEN * 2 + 10];
+
+	if (get_rel_relkind(relOid) != RELKIND_RELATION)
+		ereport(ERROR,
+				(errcode(ERRCODE_WRONG_OBJECT_TYPE),
+				 errmsg("cannot set security label on non-regular columns")));
+
+	snprintf(audit_name, sizeof(audit_name), "%s.%s",
+			 get_rel_name(relOid), get_attname(relOid, attnum));
+
+	/*
+	 * check db_column:{setattr relabelfrom} permission
+	 */
+	tcontext = sepgsql_get_label(RelationRelationId, relOid, attnum);
+	sepgsql_check_perms(scontext,
+						tcontext,
+						SEPG_CLASS_DB_COLUMN,
+						SEPG_DB_COLUMN__SETATTR |
+						SEPG_DB_COLUMN__RELABELFROM,
+						audit_name,
+						true);
+	pfree(tcontext);
+
+	/*
+	 * check db_column:{relabelto} permission
+	 */
+	sepgsql_check_perms(scontext,
+						seclabel,
+						SEPG_CLASS_DB_COLUMN,
+						SEPG_DB_PROCEDURE__RELABELTO,
+						audit_name,
+						true);
+}
+
+/*
+ * sepgsql_relation_post_create
+ *
+ * The post creation hook of relation/attribute
+ */
+void
+sepgsql_relation_post_create(Oid relOid)
+{
+	Relation		rel;
+	ScanKeyData		skey;
+	SysScanDesc		sscan;
+	HeapTuple		tuple;
+	Form_pg_class	classForm;
+	ObjectAddress	object;
+	uint16			tclass;
+	char		   *scontext;	/* subject */
+	char		   *tcontext;	/* schema */
+	char		   *rcontext;	/* relation */
+	char		   *ccontext;	/* column */
+
+	/*
+	 * Fetch catalog record of the new relation. Because pg_class entry is
+	 * not visible right now, we need to scan the catalog using SnapshotSelf.
+	 */
+	rel = heap_open(RelationRelationId, AccessShareLock);
+
+	ScanKeyInit(&skey,
+				ObjectIdAttributeNumber,
+				BTEqualStrategyNumber, F_OIDEQ,
+				ObjectIdGetDatum(relOid));
+
+	sscan = systable_beginscan(rel, ClassOidIndexId, true,
+							   SnapshotSelf, 1, &skey);
+
+	tuple = systable_getnext(sscan);
+	if (!HeapTupleIsValid(tuple))
+		elog(ERROR, "catalog lookup failed for relation %u", relOid);
+
+	classForm = (Form_pg_class) GETSTRUCT(tuple);
+
+	if (classForm->relkind == RELKIND_RELATION)
+		tclass = SEPG_CLASS_DB_TABLE;
+	else if (classForm->relkind == RELKIND_SEQUENCE)
+		tclass = SEPG_CLASS_DB_SEQUENCE;
+	else if (classForm->relkind == RELKIND_VIEW)
+		tclass = SEPG_CLASS_DB_VIEW;
+	else
+		goto out;	/* No need to assign individual labels */
+
+	/*
+	 * Compute a default security label when we create a new relation
+	 * object under the specified namespace.
+	 */
+	scontext = sepgsql_get_client_label();
+	tcontext = sepgsql_get_label(NamespaceRelationId,
+								 classForm->relnamespace, 0);
+	rcontext = sepgsql_compute_create(scontext, tcontext, tclass);
+
+	/*
+	 * Assign the default security label on the new relation
+	 */
+	object.classId = RelationRelationId;
+	object.objectId = relOid;
+	object.objectSubId = 0;
+	SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, rcontext);
+
+	/*
+	 * We also assigns a default security label on columns of the new
+	 * regular tables.
+	 */
+	if (classForm->relkind == RELKIND_RELATION)
+	{
+		AttrNumber	index;
+
+		ccontext = sepgsql_compute_create(scontext, rcontext,
+										  SEPG_CLASS_DB_COLUMN);
+		for (index = FirstLowInvalidHeapAttributeNumber + 1;
+			 index <= classForm->relnatts;
+			 index++)
+		{
+			if (index == InvalidAttrNumber)
+				continue;
+
+			if (index == ObjectIdAttributeNumber && !classForm->relhasoids)
+				continue;
+
+			object.classId = RelationRelationId;
+			object.objectId = relOid;
+			object.objectSubId = index;
+			SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ccontext);
+		}
+		pfree(ccontext);
+	}
+	pfree(rcontext);
+out:
+	systable_endscan(sscan);
+	heap_close(rel, AccessShareLock);
+}
+
+/*
+ * sepgsql_relation_relabel
+ *
+ * It checks privileges to relabel the supplied relation by the `seclabel'.
+ */
+void
+sepgsql_relation_relabel(Oid relOid, const char *seclabel)
+{
+	char	   *scontext = sepgsql_get_client_label();
+	char	   *tcontext;
+	char	   *audit_name;
+	char		relkind;
+	uint16_t	tclass = 0;
+
+	relkind = get_rel_relkind(relOid);
+	if (relkind == RELKIND_RELATION)
+		tclass = SEPG_CLASS_DB_TABLE;
+	else if (relkind == RELKIND_SEQUENCE)
+		tclass = SEPG_CLASS_DB_SEQUENCE;
+	else if (relkind == RELKIND_VIEW)
+		tclass = SEPG_CLASS_DB_VIEW;
+	else
+		ereport(ERROR,
+				(errcode(ERRCODE_WRONG_OBJECT_TYPE),
+				 errmsg("cannot set security labels on relations except "
+						"for tables, sequences or views")));
+
+	audit_name = get_rel_name(relOid);
+
+	/*
+	 * check db_xxx:{setattr relabelfrom} permission
+	 */
+	tcontext = sepgsql_get_label(RelationRelationId, relOid, 0);
+
+	sepgsql_check_perms(scontext,
+						tcontext,
+						tclass,
+						SEPG_DB_TABLE__SETATTR |
+						SEPG_DB_TABLE__RELABELFROM,
+						audit_name,
+						true);
+	pfree(tcontext);
+
+	/*
+	 * check db_xxx:{relabelto} permission
+	 */
+	sepgsql_check_perms(scontext,
+						seclabel,
+						tclass,
+						SEPG_DB_TABLE__RELABELTO,
+						audit_name,
+						true);
+}
--- a/contrib/sepgsql/schema.c
+++ b/contrib/sepgsql/schema.c
+/* -------------------------------------------------------------------------
+ *
+ * contrib/sepgsql/schema.c
+ *
+ * Routines corresponding to schema objects
+ *
+ * Copyright (c) 2010-2011, PostgreSQL Global Development Group
+ *
+ * -------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include "catalog/pg_namespace.h"
+#include "commands/seclabel.h"
+#include "utils/lsyscache.h"
+
+#include "sepgsql.h"
+
+/*
+ * sepgsql_schema_post_create
+ *
+ * This routine assigns a default security label on a newly defined
+ * schema.
+ */
+void
+sepgsql_schema_post_create(Oid namespaceId)
+{
+	char		   *scontext = sepgsql_get_client_label();
+	char		   *tcontext;
+	char		   *ncontext;
+	ObjectAddress	object;
+
+	/*
+	 * FIXME: Right now, we assume pg_database object has a fixed
+	 * security label, because pg_seclabel does not support to store
+	 * label of shared database objects.
+	 */
+	tcontext = "system_u:object_r:sepgsql_db_t:s0";
+
+	/*
+	 * Compute a default security label when we create a new schema
+	 * object under the working database.
+	 */
+	ncontext = sepgsql_compute_create(scontext, tcontext,
+									  SEPG_CLASS_DB_SCHEMA);
+
+	/*
+	 * Assign the default security label on a new procedure
+	 */
+	object.classId = NamespaceRelationId;
+	object.objectId = namespaceId;
+	object.objectSubId = 0;
+	SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
+
+	pfree(ncontext);
+}
+
+/*
+ * sepgsql_schema_relabel
+ *
+ * It checks privileges to relabel the supplied schema
+ * by the `seclabel'.
+ */
+void
+sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
+{
+	char	   *scontext = sepgsql_get_client_label();
+	char	   *tcontext;
+	char	   *audit_name;
+
+	audit_name = get_namespace_name(namespaceId);
+
+	/*
+	 * check db_schema:{setattr relabelfrom} permission
+	 */
+	tcontext = sepgsql_get_label(NamespaceRelationId, namespaceId, 0);
+
+	sepgsql_check_perms(scontext,
+						tcontext,
+						SEPG_CLASS_DB_SCHEMA,
+						SEPG_DB_SCHEMA__SETATTR |
+						SEPG_DB_SCHEMA__RELABELFROM,
+						audit_name,
+						true);
+
+	/*
+	 * check db_schema:{relabelto} permission
+	 */
+	sepgsql_check_perms(scontext,
+						seclabel,
+						SEPG_CLASS_DB_SCHEMA,
+						SEPG_DB_SCHEMA__RELABELTO,
+						audit_name,
+						true);
+
+	pfree(tcontext);
+	pfree(audit_name);
+}
--- a/contrib/sepgsql/selinux.c
+++ b/contrib/sepgsql/selinux.c
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
+policy_module(sepgsql-regtest, 1.01)
+
+## <desc>
+## <p>
+## Allow to launch regression test of SE-PostgreSQL
+## Don't switch to TRUE in normal cases
+## </p>
+## </desc>
+gen_tunable(sepgsql_regression_test_mode, false)
+
+#
+# Test domains for database administrators
+#
+role sepgsql_regtest_dba_r;
+userdom_base_user_template(sepgsql_regtest_dba)
+userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
+userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
+optional_policy(`
+	postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
+	postgresql_stream_connect(sepgsql_regtest_dba_t)
+')
+optional_policy(`
+	unconfined_stream_connect(sepgsql_regtest_dba_t)
+	unconfined_rw_pipes(sepgsql_regtest_dba_t)
+')
+
+#
+# Dummy domain for unpriv users
+#
+role sepgsql_regtest_user_r;
+userdom_base_user_template(sepgsql_regtest_user)
+userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
+userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
+optional_policy(`
+	postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
+	postgresql_stream_connect(sepgsql_regtest_user_t)
+')
+optional_policy(`
+	unconfined_stream_connect(sepgsql_regtest_user_t)
+	unconfined_rw_pipes(sepgsql_regtest_user_t)
+')
+
+#
+# Rules to launch psql in the dummy domains
+#
+optional_policy(`
+	gen_require(`
+		role unconfined_r;
+		type unconfined_t;
+		type sepgsql_trusted_proc_t;
+	')
+	tunable_policy(`sepgsql_regression_test_mode',`
+		allow unconfined_t sepgsql_regtest_dba_t : process { transition };
+		allow unconfined_t sepgsql_regtest_user_t : process { transition };
+	')
+	role unconfined_r types sepgsql_regtest_dba_t;
+	role unconfined_r types sepgsql_regtest_user_t;
+	role unconfined_r types sepgsql_trusted_proc_t;
+')
--- a/contrib/sepgsql/sepgsql.h
+++ b/contrib/sepgsql/sepgsql.h
--- a/contrib/sepgsql/sepgsql.sql.in
+++ b/contrib/sepgsql/sepgsql.sql.in
+--
+-- contrib/sepgsql/sepgsql.sql
+--
+-- [Step to install]
+--
+-- 1. Run initdb
+--    to set up a new database cluster.
+--
+-- 2. Edit $PGDATA/postgresql.conf
+--    to add 'MODULE_PATHNAME' to shared_preload_libraries.
+--
+--    Example)
+--        shared_preload_libraries = 'MODULE_PATHNAME'
+--
+-- 3. Run this script for each databases
+--    This script installs corresponding functions, and assigns initial
+--    security labels on target database objects.
+--    It can be run both single-user mode and multi-user mode, according
+--    to your preference.
+--
+--    Example)
+--      $ for DBNAME in template0 template1 postgres;     \
+--        do                                              \
+--          postgres --single -F -c exit_on_error=true -D $PGDATA $DBNAME \
+--            < /path/to/script/sepgsql.sql > /dev/null   \
+--        done
+--
+-- 4. Start postmaster,
+--    if you initialized the database in single-user mode.
+--
+LOAD 'MODULE_PATHNAME';
+CREATE OR REPLACE FUNCTION pg_catalog.sepgsql_getcon() RETURNS text AS 'MODULE_PATHNAME', 'sepgsql_getcon' LANGUAGE C;
+CREATE OR REPLACE FUNCTION pg_catalog.sepgsql_mcstrans_in(text) RETURNS text AS 'MODULE_PATHNAME', 'sepgsql_mcstrans_in' LANGUAGE C STRICT;
+CREATE OR REPLACE FUNCTION pg_catalog.sepgsql_mcstrans_out(text) RETURNS text AS 'MODULE_PATHNAME', 'sepgsql_mcstrans_out' LANGUAGE C STRICT;
+CREATE OR REPLACE FUNCTION pg_catalog.sepgsql_restorecon(text) RETURNS bool AS 'MODULE_PATHNAME', 'sepgsql_restorecon' LANGUAGE C;
+SELECT sepgsql_restorecon(NULL);
--- a/contrib/sepgsql/sql/dml.sql
+++ b/contrib/sepgsql/sql/dml.sql
+--
+-- Regression Test for DML Permissions
+--
+
+--
+-- Setup
+--
+CREATE TABLE t1 (a int, b text);
+SECURITY LABEL ON TABLE t1 IS 'system_u:object_r:sepgsql_table_t:s0';
+INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
+
+CREATE TABLE t2 (x int, y text);
+SECURITY LABEL ON TABLE t2 IS 'system_u:object_r:sepgsql_ro_table_t:s0';
+INSERT INTO t2 VALUES (1, 'xxx'), (2, 'yyy'), (3, 'zzz');
+
+CREATE TABLE t3 (s int, t text);
+SECURITY LABEL ON TABLE t3 IS 'system_u:object_r:sepgsql_fixed_table_t:s0';
+INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
+
+CREATE TABLE t4 (m int, n text);
+SECURITY LABEL ON TABLE t4 IS 'system_u:object_r:sepgsql_secret_table_t:s0';
+INSERT INTO t4 VALUES (1, 'mmm'), (2, 'nnn'), (3, 'ooo');
+
+CREATE TABLE t5 (e text, f text, g text);
+SECURITY LABEL ON TABLE t5 IS 'system_u:object_r:sepgsql_table_t:s0';
+SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0';
+SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0';
+SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0';
+
+CREATE TABLE customer (cid int primary key, cname text, ccredit text);
+SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0';
+INSERT INTO customer VALUES (1, 'Taro',   '1111-2222-3333-4444'),
+                            (2, 'Hanako', '5555-6666-7777-8888');
+CREATE FUNCTION customer_credit(int) RETURNS text
+    AS 'SELECT regexp_replace(ccredit, ''-[0-9]+$'', ''-????'') FROM customer WHERE cid = $1'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION customer_credit(int)
+    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+
+SELECT objtype, objname, label FROM pg_seclabels
+    WHERE provider = 'selinux'
+     AND  objtype in ('table', 'column')
+     AND  objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g');
+
+-- Hardwired Rules
+UPDATE pg_attribute SET attisdropped = true
+    WHERE attrelid = 't5'::regclass AND attname = 'f';	-- failed
+
+--
+-- Simple DML statements
+--
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
+
+SELECT * FROM t1;			-- ok
+SELECT * FROM t2;			-- ok
+SELECT * FROM t3;			-- ok
+SELECT * FROM t4;			-- failed
+SELECT * FROM t5;			-- failed
+SELECT e,f FROM t5;			-- ok
+
+SELECT * FROM customer;			-- failed
+SELECT cid, cname, customer_credit(cid) FROM customer;	-- ok
+
+SELECT count(*) FROM t5;			-- ok
+SELECT count(*) FROM t5 WHERE g IS NULL;	-- failed
+
+INSERT INTO t1 VALUES (4, 'abc');		-- ok
+INSERT INTO t2 VALUES (4, 'xyz');		-- failed
+INSERT INTO t3 VALUES (4, 'stu');		-- ok
+INSERT INTO t4 VALUES (4, 'mno');		-- failed
+INSERT INTO t5 VALUES (1,2,3);			-- failed
+INSERT INTO t5 (e,f) VALUES ('abc', 'def');	-- failed
+INSERT INTO t5 (e) VALUES ('abc');		-- ok
+
+UPDATE t1 SET b = b || '_upd';			-- ok
+UPDATE t2 SET y = y || '_upd';			-- failed
+UPDATE t3 SET t = t || '_upd';			-- failed
+UPDATE t4 SET n = n || '_upd';			-- failed
+UPDATE t5 SET e = 'xyz';			-- ok
+UPDATE t5 SET e = f || '_upd';			-- ok
+UPDATE t5 SET e = g || '_upd';			-- failed
+
+DELETE FROM t1;					-- ok
+DELETE FROM t2;					-- failed
+DELETE FROM t3;					-- failed
+DELETE FROM t4;					-- failed
+DELETE FROM t5;					-- ok
+DELETE FROM t5 WHERE f IS NULL;			-- ok
+DELETE FROM t5 WHERE g IS NULL;			-- failed
+
+--
+-- COPY TO/FROM statements
+--
+COPY t1 TO '/dev/null';				-- ok
+COPY t2 TO '/dev/null';				-- ok
+COPY t3 TO '/dev/null';				-- ok
+COPY t4 TO '/dev/null';				-- failed
+COPY t5 TO '/dev/null';				-- failed
+COPY t5(e,f) TO '/dev/null';			-- ok
+
+COPY t1 FROM '/dev/null';			-- ok
+COPY t2 FROM '/dev/null';			-- failed
+COPY t3 FROM '/dev/null';			-- ok
+COPY t4 FROM '/dev/null';			-- failed
+COPY t5 FROM '/dev/null';			-- failed
+COPY t5 (e,f) FROM '/dev/null';			-- failed
+COPY t5 (e) FROM '/dev/null';			-- ok
+
+--
+-- Clean up
+--
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
+DROP TABLE IF EXISTS t1 CASCADE;
+DROP TABLE IF EXISTS t2 CASCADE;
+DROP TABLE IF EXISTS t3 CASCADE;
+DROP TABLE IF EXISTS t4 CASCADE;
+DROP TABLE IF EXISTS t5 CASCADE;
+DROP TABLE IF EXISTS customer CASCADE;
--- a/contrib/sepgsql/sql/label.sql
+++ b/contrib/sepgsql/sql/label.sql
+--
+-- Regression Tests for Label Management
+--
+
+--
+-- Setup
+--
+CREATE TABLE t1 (a int, b text);
+INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
+SELECT * INTO t2 FROM t1 WHERE a % 2 = 0;
+
+CREATE FUNCTION f1 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+
+CREATE FUNCTION f2 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f2()
+    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+
+CREATE FUNCTION f3 () RETURNS text
+    AS 'BEGIN
+          RAISE EXCEPTION ''an exception from f3()'';
+          RETURN NULL;
+        END;' LANGUAGE plpgsql;
+SECURITY LABEL ON FUNCTION f3()
+    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+
+--
+-- Tests for default labeling behavior
+--
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
+CREATE TABLE t3 (s int, t text);
+INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
+
+SELECT objtype, objname, label FROM pg_seclabels
+    WHERE provider = 'selinux'
+     AND  objtype in ('table', 'column')
+     AND  objname in ('t1', 't2', 't3');
+
+--
+-- Tests for SECURITY LABEL
+--
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0
+SECURITY LABEL ON TABLE t1
+    IS 'system_u:object_r:sepgsql_ro_table_t:s0';	-- ok
+SECURITY LABEL ON TABLE t2
+    IS 'invalid seuciryt context';			-- be failed
+SECURITY LABEL ON COLUMN t2
+    IS 'system_u:object_r:sepgsql_ro_table_t:s0';	-- be failed
+SECURITY LABEL ON COLUMN t2.b
+    IS 'system_u:object_r:sepgsql_ro_table_t:s0';	-- ok
+
+--
+-- Tests for Trusted Procedures
+--
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
+SELECT f1();			-- normal procedure
+SELECT f2();			-- trusted procedure
+SELECT f3();			-- trusted procedure that raises an error
+SELECT sepgsql_getcon();	-- client's label must be restored
+
+--
+-- Clean up
+--
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
+DROP TABLE IF EXISTS t1 CASCADE;
+DROP TABLE IF EXISTS t2 CASCADE;
+DROP TABLE IF EXISTS t3 CASCADE;
+DROP FUNCTION IF EXISTS f1() CASCADE;
+DROP FUNCTION IF EXISTS f2() CASCADE;
+DROP FUNCTION IF EXISTS f3() CASCADE;
--- a/contrib/sepgsql/sql/misc.sql
+++ b/contrib/sepgsql/sql/misc.sql
+--
+-- Regression Test for Misc Permission Checks
+--
+
+LOAD '$libdir/sepgsql';		-- failed
--- a/doc/src/sgml/contrib.sgml
+++ b/doc/src/sgml/contrib.sgml
@@ -116,6 +116,7 @@ psql -d dbname -f <replaceable>SHAREDIR</>/contrib/<replaceable>module</>.sql
 &pgtrgm;
 &pgupgrade;
 &seg;
+ &sepgsql;
 &contrib-spi;
 &sslinfo;
 &tablefunc;

--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -129,6 +129,7 @@
 <!entity pgupgrade       SYSTEM "pgupgrade.sgml">
 <!entity seg             SYSTEM "seg.sgml">
 <!entity contrib-spi     SYSTEM "contrib-spi.sgml">
+<!entity sepgsql         SYSTEM "sepgsql.sgml">
 <!entity sslinfo         SYSTEM "sslinfo.sgml">
 <!entity tablefunc       SYSTEM "tablefunc.sgml">
 <!entity test-parser     SYSTEM "test-parser.sgml">

--- a/doc/src/sgml/sepgsql.sgml
+++ b/doc/src/sgml/sepgsql.sgml
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@@ -158,6 +158,7 @@ with_python	= @with_python@
 with_tcl	= @with_tcl@
 with_openssl	= @with_openssl@
 with_ossp_uuid	= @with_ossp_uuid@
+with_selinux	= @with_selinux@
 with_libxml	= @with_libxml@
 with_libxslt	= @with_libxslt@
 with_system_tzdata = @with_system_tzdata@

--- a/src/test/regress/pg_regress.c
+++ b/src/test/regress/pg_regress.c
@@ -84,6 +84,7 @@ bool		debug = false;
 char	   *inputdir = ".";
 char	   *outputdir = ".";
 char	   *psqldir = PGBINDIR;
+char	   *launcher = NULL;
 static _stringlist *loadlanguage = NULL;
 static int	max_connections = 0;
 static char *encoding = NULL;
@@ -1871,6 +1872,7 @@ help(void)
 	printf(_("  --dlpath=DIR              look for dynamic libraries in DIR\n"));
 	printf(_("  --temp-install=DIR        create a temporary installation in DIR\n"));
 	printf(_("  --use-existing            use an existing installation\n"));
+	printf(_("  --launcher=CMD            use CMD as launcher of psql\n"));
 	printf(_("\n"));
 	printf(_("Options for \"temp-install\" mode:\n"));
 	printf(_("  --no-locale               use C locale\n"));
@@ -1922,6 +1924,7 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
 		{"create-role", required_argument, NULL, 18},
 		{"temp-config", required_argument, NULL, 19},
 		{"use-existing", no_argument, NULL, 20},
+		{"launcher", required_argument, NULL, 21},
 		{NULL, 0, NULL, 0}
 	};

@@ -2015,6 +2018,9 @@ regression_main(int argc, char *argv[], init_function ifunc, test_function tfunc
 			case 20:
 				use_existing = true;
 				break;
+			case 21:
+				launcher = strdup(optarg);
+				break;
 			default:
 				/* getopt_long already emitted a complaint */
 				fprintf(stderr, _("\nTry \"%s -h\" for more information.\n"),

--- a/src/test/regress/pg_regress.h
+++ b/src/test/regress/pg_regress.h
@@ -41,6 +41,7 @@ extern _stringlist *dblist;
 extern bool debug;
 extern char *inputdir;
 extern char *outputdir;
+extern char *launcher;

 /*
 * This should not be global but every module should be able to read command

--- a/src/test/regress/pg_regress_main.c
+++ b/src/test/regress/pg_regress_main.c
@@ -33,6 +33,7 @@ psql_start_test(const char *testname,
 	char		outfile[MAXPGPATH];
 	char		expectfile[MAXPGPATH];
 	char		psql_cmd[MAXPGPATH * 3];
+	size_t		offset = 0;

 	/*
 	 * Look for files in the output dir first, consistent with a vpath search.
@@ -58,7 +59,11 @@ psql_start_test(const char *testname,
 	add_stringlist_item(resultfiles, outfile);
 	add_stringlist_item(expectfiles, expectfile);

-	snprintf(psql_cmd, sizeof(psql_cmd),
+	if (launcher)
+		offset += snprintf(psql_cmd + offset, sizeof(psql_cmd) - offset,
+						   "%s ", launcher);
+
+	snprintf(psql_cmd + offset, sizeof(psql_cmd) - offset,
 			 SYSTEMQUOTE "\"%s%spsql\" -X -a -q -d \"%s\" < \"%s\" > \"%s\" 2>&1" SYSTEMQUOTE,
 			 psqldir ? psqldir : "",
 			 psqldir ? "/" : "",