diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 12:15:05 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 12:15:05 +0000 |
commit | 46651ce6fe013220ed397add242004d764fc0153 (patch) | |
tree | 6e5299f990f88e60174a1d3ae6e48eedd2688b2b /doc/src/sgml/html/sql-security-label.html | |
parent | Initial commit. (diff) | |
download | postgresql-14-upstream.tar.xz postgresql-14-upstream.zip |
Adding upstream version 14.5.upstream/14.5upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/src/sgml/html/sql-security-label.html')
-rw-r--r-- | doc/src/sgml/html/sql-security-label.html | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/doc/src/sgml/html/sql-security-label.html b/doc/src/sgml/html/sql-security-label.html new file mode 100644 index 0000000..0a09725 --- /dev/null +++ b/doc/src/sgml/html/sql-security-label.html @@ -0,0 +1,93 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SECURITY LABEL</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="sql-savepoint.html" title="SAVEPOINT" /><link rel="next" href="sql-select.html" title="SELECT" /></head><body id="docContent" class="container-fluid col-10"><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">SECURITY LABEL</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sql-savepoint.html" title="SAVEPOINT">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="sql-commands.html" title="SQL Commands">Up</a></td><th width="60%" align="center">SQL Commands</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 14.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="sql-select.html" title="SELECT">Next</a></td></tr></table><hr></hr></div><div class="refentry" id="SQL-SECURITY-LABEL"><div class="titlepage"></div><a id="id-1.9.3.170.1" class="indexterm"></a><div class="refnamediv"><h2><span class="refentrytitle">SECURITY LABEL</span></h2><p>SECURITY LABEL — define or change a security label applied to an object</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><pre class="synopsis"> +SECURITY LABEL [ FOR <em class="replaceable"><code>provider</code></em> ] ON +{ + TABLE <em class="replaceable"><code>object_name</code></em> | + COLUMN <em class="replaceable"><code>table_name</code></em>.<em class="replaceable"><code>column_name</code></em> | + AGGREGATE <em class="replaceable"><code>aggregate_name</code></em> ( <em class="replaceable"><code>aggregate_signature</code></em> ) | + DATABASE <em class="replaceable"><code>object_name</code></em> | + DOMAIN <em class="replaceable"><code>object_name</code></em> | + EVENT TRIGGER <em class="replaceable"><code>object_name</code></em> | + FOREIGN TABLE <em class="replaceable"><code>object_name</code></em> + FUNCTION <em class="replaceable"><code>function_name</code></em> [ ( [ [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [, ...] ] ) ] | + LARGE OBJECT <em class="replaceable"><code>large_object_oid</code></em> | + MATERIALIZED VIEW <em class="replaceable"><code>object_name</code></em> | + [ PROCEDURAL ] LANGUAGE <em class="replaceable"><code>object_name</code></em> | + PROCEDURE <em class="replaceable"><code>procedure_name</code></em> [ ( [ [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [, ...] ] ) ] | + PUBLICATION <em class="replaceable"><code>object_name</code></em> | + ROLE <em class="replaceable"><code>object_name</code></em> | + ROUTINE <em class="replaceable"><code>routine_name</code></em> [ ( [ [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [, ...] ] ) ] | + SCHEMA <em class="replaceable"><code>object_name</code></em> | + SEQUENCE <em class="replaceable"><code>object_name</code></em> | + SUBSCRIPTION <em class="replaceable"><code>object_name</code></em> | + TABLESPACE <em class="replaceable"><code>object_name</code></em> | + TYPE <em class="replaceable"><code>object_name</code></em> | + VIEW <em class="replaceable"><code>object_name</code></em> +} IS '<em class="replaceable"><code>label</code></em>' + +<span class="phrase">where <em class="replaceable"><code>aggregate_signature</code></em> is:</span> + +* | +[ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [ , ... ] | +[ [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [ , ... ] ] ORDER BY [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [ , ... ] +</pre></div><div class="refsect1" id="id-1.9.3.170.5"><h2>Description</h2><p> + <code class="command">SECURITY LABEL</code> applies a security label to a database + object. An arbitrary number of security labels, one per label provider, can + be associated with a given database object. Label providers are loadable + modules which register themselves by using the function + <code class="function">register_label_provider</code>. + </p><div class="note"><h3 class="title">Note</h3><p> + <code class="function">register_label_provider</code> is not an SQL function; it can + only be called from C code loaded into the backend. + </p></div><p> + The label provider determines whether a given label is valid and whether + it is permissible to assign that label to a given object. The meaning of a + given label is likewise at the discretion of the label provider. + <span class="productname">PostgreSQL</span> places no restrictions on whether or how a + label provider must interpret security labels; it merely provides a + mechanism for storing them. In practice, this facility is intended to allow + integration with label-based mandatory access control (MAC) systems such as + <span class="productname">SELinux</span>. Such systems make all access control decisions + based on object labels, rather than traditional discretionary access control + (DAC) concepts such as users and groups. + </p></div><div class="refsect1" id="id-1.9.3.170.6"><h2>Parameters</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><em class="replaceable"><code>object_name</code></em><br /></span><span class="term"><em class="replaceable"><code>table_name.column_name</code></em><br /></span><span class="term"><em class="replaceable"><code>aggregate_name</code></em><br /></span><span class="term"><em class="replaceable"><code>function_name</code></em><br /></span><span class="term"><em class="replaceable"><code>procedure_name</code></em><br /></span><span class="term"><em class="replaceable"><code>routine_name</code></em></span></dt><dd><p> + The name of the object to be labeled. Names of objects that reside in + schemas (tables, functions, etc.) can be schema-qualified. + </p></dd><dt><span class="term"><em class="replaceable"><code>provider</code></em></span></dt><dd><p> + The name of the provider with which this label is to be associated. The + named provider must be loaded and must consent to the proposed labeling + operation. If exactly one provider is loaded, the provider name may be + omitted for brevity. + </p></dd><dt><span class="term"><em class="replaceable"><code>argmode</code></em></span></dt><dd><p> + The mode of a function, procedure, or aggregate + argument: <code class="literal">IN</code>, <code class="literal">OUT</code>, + <code class="literal">INOUT</code>, or <code class="literal">VARIADIC</code>. + If omitted, the default is <code class="literal">IN</code>. + Note that <code class="command">SECURITY LABEL</code> does not actually + pay any attention to <code class="literal">OUT</code> arguments, since only the input + arguments are needed to determine the function's identity. + So it is sufficient to list the <code class="literal">IN</code>, <code class="literal">INOUT</code>, + and <code class="literal">VARIADIC</code> arguments. + </p></dd><dt><span class="term"><em class="replaceable"><code>argname</code></em></span></dt><dd><p> + The name of a function, procedure, or aggregate argument. + Note that <code class="command">SECURITY LABEL</code> does not actually + pay any attention to argument names, since only the argument data + types are needed to determine the function's identity. + </p></dd><dt><span class="term"><em class="replaceable"><code>argtype</code></em></span></dt><dd><p> + The data type of a function, procedure, or aggregate argument. + </p></dd><dt><span class="term"><em class="replaceable"><code>large_object_oid</code></em></span></dt><dd><p> + The OID of the large object. + </p></dd><dt><span class="term"><code class="literal">PROCEDURAL</code></span></dt><dd><p> + This is a noise word. + </p></dd><dt><span class="term"><em class="replaceable"><code>label</code></em></span></dt><dd><p> + The new security label, written as a string literal; or <code class="literal">NULL</code> + to drop the security label. + </p></dd></dl></div></div><div class="refsect1" id="id-1.9.3.170.7"><h2>Examples</h2><p> + The following example shows how the security label of a table might + be changed. + +</p><pre class="programlisting"> +SECURITY LABEL FOR selinux ON TABLE mytable IS 'system_u:object_r:sepgsql_table_t:s0'; +</pre></div><div class="refsect1" id="id-1.9.3.170.8"><h2>Compatibility</h2><p> + There is no <code class="command">SECURITY LABEL</code> command in the SQL standard. + </p></div><div class="refsect1" id="id-1.9.3.170.9"><h2>See Also</h2><span class="simplelist"><a class="xref" href="sepgsql.html" title="F.37. sepgsql">sepgsql</a>, <code class="filename">src/test/modules/dummy_seclabel</code></span></div></div><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navfooter"><hr></hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sql-savepoint.html" title="SAVEPOINT">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sql-commands.html" title="SQL Commands">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sql-select.html" title="SELECT">Next</a></td></tr><tr><td width="40%" align="left" valign="top">SAVEPOINT </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 14.5 Documentation">Home</a></td><td width="40%" align="right" valign="top"> SELECT</td></tr></table></div></body></html>
\ No newline at end of file |