<productname>SELinux</productname>. A typical display is:
<screen>
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
</screen>
If <productname>SELinux</productname> is disabled or not installed, you must set
that product up first before installing this module.
</para>
<para>
To build this module, specify <xref
linkend="configure-option-with-sepgsql"/> (when using <link
linkend="install-make">make and autoconf</link> ) or <xref
linkend="configure-with-sepgsql-meson"/> (when using <link
linkend="install-meson">meson</link>).
Be sure that the <filename>libselinux-devel</filename> RPM is installed at
build time.
</para>
<para>
To use this module, you must include <literal>sepgsql</literal>
in the <xref linkend="guc-shared-preload-libraries"/> parameter in
<filename>postgresql.conf</filename>. The module will not function correctly
if loaded in any other manner. Once the module is loaded, you
should execute <filename>sepgsql.sql</filename> in each database.
This will install functions needed for security label management, and
assign initial security labels.
</para>
<para>
Here is an example showing how to initialize a fresh database cluster
with <filename>sepgsql</filename> functions and security labels installed.
Adjust the paths shown as appropriate for your installation:
</para>
<screen>
$ export PGDATA=/path/to/data/directory
$ initdb
$ vi $PGDATA/postgresql.conf
change
#shared_preload_libraries = '' # (change requires restart)
to
shared_preload_libraries = 'sepgsql' # (change requires restart)
$ for DBNAME in template0 template1 postgres; do
postgres --single -F -c exit_on_error=true $DBNAME \
</usr/local/pgsql/share/contrib/sepgsql.sql >/dev/null
done
</screen>
<para>
Please note that you may see some or all of the following notifications
depending on the particular versions you have of
<productname>libselinux</productname> and <productname>selinux-policy</productname>:
<screen>
/etc/selinux/targeted/contexts/sepgsql_contexts: line 33 has invalid object type db_blobs
/etc/selinux/targeted/contexts/sepgsql_contexts: line 36 has invalid object type db_language
/etc/selinux/targeted/contexts/sepgsql_contexts: line 37 has invalid object type db_language
/etc/selinux/targeted/contexts/sepgsql_contexts: line 38 has invalid object type db_language
/etc/selinux/targeted/contexts/sepgsql_contexts: line 39 has invalid object type db_language
/etc/selinux/targeted/contexts/sepgsql_contexts: line 40 has invalid object type db_language
</screen>
These messages are harmless and should be ignored.
</para>
<para>
If the installation process completes without error, you can now start the
server normally.
</para>
</sect2>
<sect2 id="sepgsql-regression">
<title>Regression Tests</title>
<para>
The <filename>sepgsql</filename> test suite is run if
<literal>PG_TEST_EXTRA</literal> contains <literal>sepgsql</literal> (see
<xref linkend="regress-additional"/>). This method is suitable during
development of <productname>PostgreSQL</productname>. Alternatively, there
is a way to run the tests to checks whether a database instance has been
set up properly for <literal>sepgsql</literal>.
</para>
<para>
Due to the nature of <productname>SELinux</productname>, running the
regression tests for <filename>sepgsql</filename> requires several extra
configuration steps, some of which must be done as root.
</para>
<para>
The manual tests must be run in the <filename>contrib/sepgsql</filename> directory
of a configured PostgreSQL build tree. Although they require a build tree,
the tests are designed to be executed against an installed server,