diff --git a/contrib/sepgsql/selinux.c b/contrib/sepgsql/selinux.c
index f11968bcaa..e54695d9cb 100644
--- a/contrib/sepgsql/selinux.c
+++ b/contrib/sepgsql/selinux.c
@@ -676,6 +676,7 @@ sepgsql_getenforce(void)
  */
 void
 sepgsql_audit_log(bool denied,
+				  bool enforcing,
 				  const char *scontext,
 				  const char *tcontext,
 				  uint16 tclass,
@@ -713,6 +714,9 @@ sepgsql_audit_log(bool denied,
 	if (audit_name)
 		appendStringInfo(&buf, " name=\"%s\"", audit_name);
 
+	if (!enforcing)
+		appendStringInfo(&buf, " permissive=1");
+
 	ereport(LOG, (errmsg("SELinux: %s", buf.data)));
 }
 
@@ -907,6 +911,7 @@ sepgsql_check_perms(const char *scontext,
 	uint32		denied;
 	uint32		audited;
 	bool		result = true;
+	bool		enforcing;
 
 	sepgsql_compute_avd(scontext, tcontext, tclass, &avd);
 
@@ -918,9 +923,10 @@ sepgsql_check_perms(const char *scontext,
 		audited = (denied ? (denied & avd.auditdeny)
 				   : (required & avd.auditallow));
 
-	if (denied &&
-		sepgsql_getenforce() > 0 &&
-		(avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0)
+	enforcing = sepgsql_getenforce() > 0 &&
+			(avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0;
+
+	if (denied && enforcing)
 		result = false;
 
 	/*
@@ -930,6 +936,7 @@ sepgsql_check_perms(const char *scontext,
 	if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
 	{
 		sepgsql_audit_log(denied,
+						  enforcing,
 						  scontext,
 						  tcontext,
 						  tclass,
diff --git a/contrib/sepgsql/sepgsql.h b/contrib/sepgsql/sepgsql.h
index 2193734267..5fe2cd2d45 100644
--- a/contrib/sepgsql/sepgsql.h
+++ b/contrib/sepgsql/sepgsql.h
@@ -227,6 +227,7 @@ extern int	sepgsql_set_mode(int new_mode);
 extern bool sepgsql_getenforce(void);
 
 extern void sepgsql_audit_log(bool denied,
+							  bool enforcing,
 							  const char *scontext,
 							  const char *tcontext,
 							  uint16 tclass,
diff --git a/contrib/sepgsql/uavc.c b/contrib/sepgsql/uavc.c
index 4cc48d5f82..3229a2aac4 100644
--- a/contrib/sepgsql/uavc.c
+++ b/contrib/sepgsql/uavc.c
@@ -399,6 +399,7 @@ sepgsql_avc_check_perms_label(const char *tcontext,
 		sepgsql_get_mode() != SEPGSQL_MODE_INTERNAL)
 	{
 		sepgsql_audit_log(denied != 0,
+						  (sepgsql_getenforce() && !cache->permissive),
 						  cache->scontext,
 						  cache->tcontext_is_valid ?
 						  cache->tcontext : sepgsql_avc_unlabeled(),