summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/html/sql-security-label.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src/sgml/html/sql-security-label.html')
-rw-r--r--doc/src/sgml/html/sql-security-label.html101
1 files changed, 101 insertions, 0 deletions
diff --git a/doc/src/sgml/html/sql-security-label.html b/doc/src/sgml/html/sql-security-label.html
new file mode 100644
index 0000000..7afce28
--- /dev/null
+++ b/doc/src/sgml/html/sql-security-label.html
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SECURITY LABEL</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="sql-savepoint.html" title="SAVEPOINT" /><link rel="next" href="sql-select.html" title="SELECT" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">SECURITY LABEL</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sql-savepoint.html" title="SAVEPOINT">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="sql-commands.html" title="SQL Commands">Up</a></td><th width="60%" align="center">SQL Commands</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 15.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="sql-select.html" title="SELECT">Next</a></td></tr></table><hr /></div><div class="refentry" id="SQL-SECURITY-LABEL"><div class="titlepage"></div><a id="id-1.9.3.171.1" class="indexterm"></a><div class="refnamediv"><h2><span class="refentrytitle">SECURITY LABEL</span></h2><p>SECURITY LABEL — define or change a security label applied to an object</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><pre class="synopsis">
+SECURITY LABEL [ FOR <em class="replaceable"><code>provider</code></em> ] ON
+{
+ TABLE <em class="replaceable"><code>object_name</code></em> |
+ COLUMN <em class="replaceable"><code>table_name</code></em>.<em class="replaceable"><code>column_name</code></em> |
+ AGGREGATE <em class="replaceable"><code>aggregate_name</code></em> ( <em class="replaceable"><code>aggregate_signature</code></em> ) |
+ DATABASE <em class="replaceable"><code>object_name</code></em> |
+ DOMAIN <em class="replaceable"><code>object_name</code></em> |
+ EVENT TRIGGER <em class="replaceable"><code>object_name</code></em> |
+ FOREIGN TABLE <em class="replaceable"><code>object_name</code></em>
+ FUNCTION <em class="replaceable"><code>function_name</code></em> [ ( [ [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [, ...] ] ) ] |
+ LARGE OBJECT <em class="replaceable"><code>large_object_oid</code></em> |
+ MATERIALIZED VIEW <em class="replaceable"><code>object_name</code></em> |
+ [ PROCEDURAL ] LANGUAGE <em class="replaceable"><code>object_name</code></em> |
+ PROCEDURE <em class="replaceable"><code>procedure_name</code></em> [ ( [ [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [, ...] ] ) ] |
+ PUBLICATION <em class="replaceable"><code>object_name</code></em> |
+ ROLE <em class="replaceable"><code>object_name</code></em> |
+ ROUTINE <em class="replaceable"><code>routine_name</code></em> [ ( [ [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [, ...] ] ) ] |
+ SCHEMA <em class="replaceable"><code>object_name</code></em> |
+ SEQUENCE <em class="replaceable"><code>object_name</code></em> |
+ SUBSCRIPTION <em class="replaceable"><code>object_name</code></em> |
+ TABLESPACE <em class="replaceable"><code>object_name</code></em> |
+ TYPE <em class="replaceable"><code>object_name</code></em> |
+ VIEW <em class="replaceable"><code>object_name</code></em>
+} IS { <em class="replaceable"><code>string_literal</code></em> | NULL }
+
+<span class="phrase">where <em class="replaceable"><code>aggregate_signature</code></em> is:</span>
+
+* |
+[ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [ , ... ] |
+[ [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [ , ... ] ] ORDER BY [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>argname</code></em> ] <em class="replaceable"><code>argtype</code></em> [ , ... ]
+</pre></div><div class="refsect1" id="id-1.9.3.171.5"><h2>Description</h2><p>
+ <code class="command">SECURITY LABEL</code> applies a security label to a database
+ object. An arbitrary number of security labels, one per label provider, can
+ be associated with a given database object. Label providers are loadable
+ modules which register themselves by using the function
+ <code class="function">register_label_provider</code>.
+ </p><div class="note"><h3 class="title">Note</h3><p>
+ <code class="function">register_label_provider</code> is not an SQL function; it can
+ only be called from C code loaded into the backend.
+ </p></div><p>
+ The label provider determines whether a given label is valid and whether
+ it is permissible to assign that label to a given object. The meaning of a
+ given label is likewise at the discretion of the label provider.
+ <span class="productname">PostgreSQL</span> places no restrictions on whether or how a
+ label provider must interpret security labels; it merely provides a
+ mechanism for storing them. In practice, this facility is intended to allow
+ integration with label-based mandatory access control (MAC) systems such as
+ <span class="productname">SELinux</span>. Such systems make all access control decisions
+ based on object labels, rather than traditional discretionary access control
+ (DAC) concepts such as users and groups.
+ </p></div><div class="refsect1" id="id-1.9.3.171.6"><h2>Parameters</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><em class="replaceable"><code>object_name</code></em><br /></span><span class="term"><em class="replaceable"><code>table_name.column_name</code></em><br /></span><span class="term"><em class="replaceable"><code>aggregate_name</code></em><br /></span><span class="term"><em class="replaceable"><code>function_name</code></em><br /></span><span class="term"><em class="replaceable"><code>procedure_name</code></em><br /></span><span class="term"><em class="replaceable"><code>routine_name</code></em></span></dt><dd><p>
+ The name of the object to be labeled. Names of objects that reside in
+ schemas (tables, functions, etc.) can be schema-qualified.
+ </p></dd><dt><span class="term"><em class="replaceable"><code>provider</code></em></span></dt><dd><p>
+ The name of the provider with which this label is to be associated. The
+ named provider must be loaded and must consent to the proposed labeling
+ operation. If exactly one provider is loaded, the provider name may be
+ omitted for brevity.
+ </p></dd><dt><span class="term"><em class="replaceable"><code>argmode</code></em></span></dt><dd><p>
+ The mode of a function, procedure, or aggregate
+ argument: <code class="literal">IN</code>, <code class="literal">OUT</code>,
+ <code class="literal">INOUT</code>, or <code class="literal">VARIADIC</code>.
+ If omitted, the default is <code class="literal">IN</code>.
+ Note that <code class="command">SECURITY LABEL</code> does not actually
+ pay any attention to <code class="literal">OUT</code> arguments, since only the input
+ arguments are needed to determine the function's identity.
+ So it is sufficient to list the <code class="literal">IN</code>, <code class="literal">INOUT</code>,
+ and <code class="literal">VARIADIC</code> arguments.
+ </p></dd><dt><span class="term"><em class="replaceable"><code>argname</code></em></span></dt><dd><p>
+ The name of a function, procedure, or aggregate argument.
+ Note that <code class="command">SECURITY LABEL</code> does not actually
+ pay any attention to argument names, since only the argument data
+ types are needed to determine the function's identity.
+ </p></dd><dt><span class="term"><em class="replaceable"><code>argtype</code></em></span></dt><dd><p>
+ The data type of a function, procedure, or aggregate argument.
+ </p></dd><dt><span class="term"><em class="replaceable"><code>large_object_oid</code></em></span></dt><dd><p>
+ The OID of the large object.
+ </p></dd><dt><span class="term"><code class="literal">PROCEDURAL</code></span></dt><dd><p>
+ This is a noise word.
+ </p></dd><dt><span class="term"><em class="replaceable"><code>string_literal</code></em></span></dt><dd><p>
+ The new setting of the security label, written as a string literal.
+ </p></dd><dt><span class="term"><code class="literal">NULL</code></span></dt><dd><p>
+ Write <code class="literal">NULL</code> to drop the security label.
+ </p></dd></dl></div></div><div class="refsect1" id="id-1.9.3.171.7"><h2>Examples</h2><p>
+ The following example shows how the security label of a table could
+ be set or changed:
+
+</p><pre class="programlisting">
+SECURITY LABEL FOR selinux ON TABLE mytable IS 'system_u:object_r:sepgsql_table_t:s0';
+</pre><p>
+
+ To remove the label:
+
+</p><pre class="programlisting">
+SECURITY LABEL FOR selinux ON TABLE mytable IS NULL;
+</pre><p>
+ </p></div><div class="refsect1" id="id-1.9.3.171.8"><h2>Compatibility</h2><p>
+ There is no <code class="command">SECURITY LABEL</code> command in the SQL standard.
+ </p></div><div class="refsect1" id="id-1.9.3.171.9"><h2>See Also</h2><span class="simplelist"><a class="xref" href="sepgsql.html" title="F.40. sepgsql">sepgsql</a>, <code class="filename">src/test/modules/dummy_seclabel</code></span></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sql-savepoint.html" title="SAVEPOINT">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sql-commands.html" title="SQL Commands">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sql-select.html" title="SELECT">Next</a></td></tr><tr><td width="40%" align="left" valign="top">SAVEPOINT </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 15.4 Documentation">Home</a></td><td width="40%" align="right" valign="top"> SELECT</td></tr></table></div></body></html> \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 22:07:22 +0000