SECURITY LABEL

SECURITY LABEL
Prev	Up	SQL Commands	Home	Next

SECURITY LABEL — define or change a security label applied to an object

Synopsis

+SECURITY LABEL [ FOR provider ] ON
+{
+  TABLE object_name |
+  COLUMN table_name.column_name |
+  AGGREGATE aggregate_name ( aggregate_signature ) |
+  DATABASE object_name |
+  DOMAIN object_name |
+  EVENT TRIGGER object_name |
+  FOREIGN TABLE object_name
+  FUNCTION function_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |
+  LARGE OBJECT large_object_oid |
+  MATERIALIZED VIEW object_name |
+  [ PROCEDURAL ] LANGUAGE object_name |
+  PROCEDURE procedure_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |
+  PUBLICATION object_name |
+  ROLE object_name |
+  ROUTINE routine_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |
+  SCHEMA object_name |
+  SEQUENCE object_name |
+  SUBSCRIPTION object_name |
+  TABLESPACE object_name |
+  TYPE object_name |
+  VIEW object_name
+} IS { string_literal | NULL }
+
+where aggregate_signature is:
+
+* |
+[ argmode ] [ argname ] argtype [ , ... ] |
+[ [ argmode ] [ argname ] argtype [ , ... ] ] ORDER BY [ argmode ] [ argname ] argtype [ , ... ]
+

Description

+ SECURITY LABEL applies a security label to a database + object. An arbitrary number of security labels, one per label provider, can + be associated with a given database object. Label providers are loadable + modules which register themselves by using the function + register_label_provider. +

Note

+ register_label_provider is not an SQL function; it can + only be called from C code loaded into the backend. +

+ The label provider determines whether a given label is valid and whether + it is permissible to assign that label to a given object. The meaning of a + given label is likewise at the discretion of the label provider. + PostgreSQL places no restrictions on whether or how a + label provider must interpret security labels; it merely provides a + mechanism for storing them. In practice, this facility is intended to allow + integration with label-based mandatory access control (MAC) systems such as + SELinux. Such systems make all access control decisions + based on object labels, rather than traditional discretionary access control + (DAC) concepts such as users and groups. +

Parameters

object_name table_name.column_name aggregate_name function_name procedure_name routine_name: + The name of the object to be labeled. Names of objects that reside in + schemas (tables, functions, etc.) can be schema-qualified. +
provider: + The name of the provider with which this label is to be associated. The + named provider must be loaded and must consent to the proposed labeling + operation. If exactly one provider is loaded, the provider name may be + omitted for brevity. +
argmode: + The mode of a function, procedure, or aggregate + argument: IN, OUT, + INOUT, or VARIADIC. + If omitted, the default is IN. + Note that SECURITY LABEL does not actually + pay any attention to OUT arguments, since only the input + arguments are needed to determine the function's identity. + So it is sufficient to list the IN, INOUT, + and VARIADIC arguments. +
argname: + The name of a function, procedure, or aggregate argument. + Note that SECURITY LABEL does not actually + pay any attention to argument names, since only the argument data + types are needed to determine the function's identity. +
argtype: + The data type of a function, procedure, or aggregate argument. +
large_object_oid: + The OID of the large object. +
PROCEDURAL: + This is a noise word. +
string_literal: + The new setting of the security label, written as a string literal. +
NULL: + Write NULL to drop the security label. +

Examples

+ The following example shows how the security label of a table could + be set or changed: + +

+SECURITY LABEL FOR selinux ON TABLE mytable IS 'system_u:object_r:sepgsql_table_t:s0';
+

+ + To remove the label: + +

+SECURITY LABEL FOR selinux ON TABLE mytable IS NULL;
+

Compatibility

+ There is no SECURITY LABEL command in the SQL standard. +