From 46651ce6fe013220ed397add242004d764fc0153 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 4 May 2024 14:15:05 +0200 Subject: Adding upstream version 14.5. Signed-off-by: Daniel Baumann --- doc/src/sgml/html/sql-security-label.html | 93 +++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 doc/src/sgml/html/sql-security-label.html (limited to 'doc/src/sgml/html/sql-security-label.html') diff --git a/doc/src/sgml/html/sql-security-label.html b/doc/src/sgml/html/sql-security-label.html new file mode 100644 index 0000000..0a09725 --- /dev/null +++ b/doc/src/sgml/html/sql-security-label.html @@ -0,0 +1,93 @@ + +SECURITY LABEL

SECURITY LABEL

SECURITY LABEL — define or change a security label applied to an object

Synopsis

+SECURITY LABEL [ FOR provider ] ON
+{
+  TABLE object_name |
+  COLUMN table_name.column_name |
+  AGGREGATE aggregate_name ( aggregate_signature ) |
+  DATABASE object_name |
+  DOMAIN object_name |
+  EVENT TRIGGER object_name |
+  FOREIGN TABLE object_name
+  FUNCTION function_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |
+  LARGE OBJECT large_object_oid |
+  MATERIALIZED VIEW object_name |
+  [ PROCEDURAL ] LANGUAGE object_name |
+  PROCEDURE procedure_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |
+  PUBLICATION object_name |
+  ROLE object_name |
+  ROUTINE routine_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |
+  SCHEMA object_name |
+  SEQUENCE object_name |
+  SUBSCRIPTION object_name |
+  TABLESPACE object_name |
+  TYPE object_name |
+  VIEW object_name
+} IS 'label'
+
+where aggregate_signature is:
+
+* |
+[ argmode ] [ argname ] argtype [ , ... ] |
+[ [ argmode ] [ argname ] argtype [ , ... ] ] ORDER BY [ argmode ] [ argname ] argtype [ , ... ]
+

Description

+ SECURITY LABEL applies a security label to a database + object. An arbitrary number of security labels, one per label provider, can + be associated with a given database object. Label providers are loadable + modules which register themselves by using the function + register_label_provider. +

Note

+ register_label_provider is not an SQL function; it can + only be called from C code loaded into the backend. +

+ The label provider determines whether a given label is valid and whether + it is permissible to assign that label to a given object. The meaning of a + given label is likewise at the discretion of the label provider. + PostgreSQL places no restrictions on whether or how a + label provider must interpret security labels; it merely provides a + mechanism for storing them. In practice, this facility is intended to allow + integration with label-based mandatory access control (MAC) systems such as + SELinux. Such systems make all access control decisions + based on object labels, rather than traditional discretionary access control + (DAC) concepts such as users and groups. +

Parameters

object_name
table_name.column_name
aggregate_name
function_name
procedure_name
routine_name

+ The name of the object to be labeled. Names of objects that reside in + schemas (tables, functions, etc.) can be schema-qualified. +

provider

+ The name of the provider with which this label is to be associated. The + named provider must be loaded and must consent to the proposed labeling + operation. If exactly one provider is loaded, the provider name may be + omitted for brevity. +

argmode

+ The mode of a function, procedure, or aggregate + argument: IN, OUT, + INOUT, or VARIADIC. + If omitted, the default is IN. + Note that SECURITY LABEL does not actually + pay any attention to OUT arguments, since only the input + arguments are needed to determine the function's identity. + So it is sufficient to list the IN, INOUT, + and VARIADIC arguments. +

argname

+ The name of a function, procedure, or aggregate argument. + Note that SECURITY LABEL does not actually + pay any attention to argument names, since only the argument data + types are needed to determine the function's identity. +

argtype

+ The data type of a function, procedure, or aggregate argument. +

large_object_oid

+ The OID of the large object. +

PROCEDURAL

+ This is a noise word. +

label

+ The new security label, written as a string literal; or NULL + to drop the security label. +

Examples

+ The following example shows how the security label of a table might + be changed. + +

+SECURITY LABEL FOR selinux ON TABLE mytable IS 'system_u:object_r:sepgsql_table_t:s0';
+

Compatibility

+ There is no SECURITY LABEL command in the SQL standard. +

See Also

sepgsql, src/test/modules/dummy_seclabel
\ No newline at end of file -- cgit v1.2.3