SQLite is the most widely deployed in-process library that implements a SQL database engine. It offers high storage efficiency, fast query operation and small memory needs. Due to the fact that a complete SQLite database is stored in a single cross-platform disk file and SQLite does not support multiple users, anyone who has direct access to the file can read the whole database content.

SELinux was originally developed as a Mandatory Access Control (MAC) mechanism for Linux to demonstrate how to overcome DAC limitations. However, SELinux provides per-file protection, thus the database file is treated as an atomic unit, impeding the definition of a fine-grained mandatory access control (MAC) policy for database objects.

SeSQLite is a SQLite extension that integrates SELinux access controls into SQLite with minimal performance and storage overhead. SeSQLite implements labeling and access control at both schema level (for tables and columns) and row level. This permits the management of a fine-grained access policy for database objects.

Source Code

The source code is available on GitHub. Star the project on GitHub to receive updates on future releases.

SeSQLite is still in an alpha version, but the core functionalities of SQL are provided and integrated with the Mandatory Access Control checks provided by SELinux.


The SeSQLite project won a Google Award in the Winter 2014 branch.

Project Publications

Extending Mandatory Access Control Policies in Android

Stefano Paraboschi, Enrico Bacis, Simone Mutti

in 11th International Conference on Information Systems Security (ICISS 2015)


SeSQLite: Security Enhanced SQLite

Simone Mutti, Enrico Bacis and Stefano Paraboschi

in 31st Annual Computer Security Applications Conference (ACSAC 2015)


Policy Specialization to Support Domain Isolation

Simone Mutti, Enrico Bacis and Stefano Paraboschi

in 8th Workshop on Automated Decision Making for Active Cyber Defense (SafeConfig 2015)


An SELinux-based Intent manager for Android

Simone Mutti, Enrico Bacis and Stefano Paraboschi

in Communications and Network Security (CNS), 2015 IEEE Conference, 2015


IEEE CNS'15 Best Poster Award

AppPolicyModules: Mandatory Access Control for Third-Party Apps

Enrico Bacis, Simone Mutti and Stefano Paraboschi

in 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015)