diff options
Diffstat (limited to 'doc/src/sgml/man7/SECURITY_LABEL.7')
-rw-r--r-- | doc/src/sgml/man7/SECURITY_LABEL.7 | 198 |
1 files changed, 198 insertions, 0 deletions
diff --git a/doc/src/sgml/man7/SECURITY_LABEL.7 b/doc/src/sgml/man7/SECURITY_LABEL.7 new file mode 100644 index 0000000..7906f20 --- /dev/null +++ b/doc/src/sgml/man7/SECURITY_LABEL.7 @@ -0,0 +1,198 @@ +'\" t +.\" Title: SECURITY LABEL +.\" Author: The PostgreSQL Global Development Group +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 2023 +.\" Manual: PostgreSQL 15.4 Documentation +.\" Source: PostgreSQL 15.4 +.\" Language: English +.\" +.TH "SECURITY LABEL" "7" "2023" "PostgreSQL 15.4" "PostgreSQL 15.4 Documentation" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +SECURITY_LABEL \- define or change a security label applied to an object +.SH "SYNOPSIS" +.sp +.nf +SECURITY LABEL [ FOR \fIprovider\fR ] ON +{ + TABLE \fIobject_name\fR | + COLUMN \fItable_name\fR\&.\fIcolumn_name\fR | + AGGREGATE \fIaggregate_name\fR ( \fIaggregate_signature\fR ) | + DATABASE \fIobject_name\fR | + DOMAIN \fIobject_name\fR | + EVENT TRIGGER \fIobject_name\fR | + FOREIGN TABLE \fIobject_name\fR + FUNCTION \fIfunction_name\fR [ ( [ [ \fIargmode\fR ] [ \fIargname\fR ] \fIargtype\fR [, \&.\&.\&.] ] ) ] | + LARGE OBJECT \fIlarge_object_oid\fR | + MATERIALIZED VIEW \fIobject_name\fR | + [ PROCEDURAL ] LANGUAGE \fIobject_name\fR | + PROCEDURE \fIprocedure_name\fR [ ( [ [ \fIargmode\fR ] [ \fIargname\fR ] \fIargtype\fR [, \&.\&.\&.] ] ) ] | + PUBLICATION \fIobject_name\fR | + ROLE \fIobject_name\fR | + ROUTINE \fIroutine_name\fR [ ( [ [ \fIargmode\fR ] [ \fIargname\fR ] \fIargtype\fR [, \&.\&.\&.] ] ) ] | + SCHEMA \fIobject_name\fR | + SEQUENCE \fIobject_name\fR | + SUBSCRIPTION \fIobject_name\fR | + TABLESPACE \fIobject_name\fR | + TYPE \fIobject_name\fR | + VIEW \fIobject_name\fR +} IS { \fIstring_literal\fR | NULL } + +where \fIaggregate_signature\fR is: + +* | +[ \fIargmode\fR ] [ \fIargname\fR ] \fIargtype\fR [ , \&.\&.\&. ] | +[ [ \fIargmode\fR ] [ \fIargname\fR ] \fIargtype\fR [ , \&.\&.\&. ] ] ORDER BY [ \fIargmode\fR ] [ \fIargname\fR ] \fIargtype\fR [ , \&.\&.\&. ] +.fi +.SH "DESCRIPTION" +.PP +\fBSECURITY LABEL\fR +applies a security label to a database object\&. An arbitrary number of security labels, one per label provider, can be associated with a given database object\&. Label providers are loadable modules which register themselves by using the function +\fBregister_label_provider\fR\&. +.if n \{\ +.sp +.\} +.RS 4 +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.br +.ps +1 +\fBNote\fR +.ps -1 +.br +.PP +\fBregister_label_provider\fR +is not an SQL function; it can only be called from C code loaded into the backend\&. +.sp .5v +.RE +.PP +The label provider determines whether a given label is valid and whether it is permissible to assign that label to a given object\&. The meaning of a given label is likewise at the discretion of the label provider\&. +PostgreSQL +places no restrictions on whether or how a label provider must interpret security labels; it merely provides a mechanism for storing them\&. In practice, this facility is intended to allow integration with label\-based mandatory access control (MAC) systems such as +SELinux\&. Such systems make all access control decisions based on object labels, rather than traditional discretionary access control (DAC) concepts such as users and groups\&. +.SH "PARAMETERS" +.PP +\fIobject_name\fR +.br +\fItable_name\&.column_name\fR +.br +\fIaggregate_name\fR +.br +\fIfunction_name\fR +.br +\fIprocedure_name\fR +.br +\fIroutine_name\fR +.RS 4 +The name of the object to be labeled\&. Names of objects that reside in schemas (tables, functions, etc\&.) can be schema\-qualified\&. +.RE +.PP +\fIprovider\fR +.RS 4 +The name of the provider with which this label is to be associated\&. The named provider must be loaded and must consent to the proposed labeling operation\&. If exactly one provider is loaded, the provider name may be omitted for brevity\&. +.RE +.PP +\fIargmode\fR +.RS 4 +The mode of a function, procedure, or aggregate argument: +IN, +OUT, +INOUT, or +VARIADIC\&. If omitted, the default is +IN\&. Note that +\fBSECURITY LABEL\fR +does not actually pay any attention to +OUT +arguments, since only the input arguments are needed to determine the function\*(Aqs identity\&. So it is sufficient to list the +IN, +INOUT, and +VARIADIC +arguments\&. +.RE +.PP +\fIargname\fR +.RS 4 +The name of a function, procedure, or aggregate argument\&. Note that +\fBSECURITY LABEL\fR +does not actually pay any attention to argument names, since only the argument data types are needed to determine the function\*(Aqs identity\&. +.RE +.PP +\fIargtype\fR +.RS 4 +The data type of a function, procedure, or aggregate argument\&. +.RE +.PP +\fIlarge_object_oid\fR +.RS 4 +The OID of the large object\&. +.RE +.PP +PROCEDURAL +.RS 4 +This is a noise word\&. +.RE +.PP +\fIstring_literal\fR +.RS 4 +The new setting of the security label, written as a string literal\&. +.RE +.PP +NULL +.RS 4 +Write +NULL +to drop the security label\&. +.RE +.SH "EXAMPLES" +.PP +The following example shows how the security label of a table could be set or changed: +.sp +.if n \{\ +.RS 4 +.\} +.nf +SECURITY LABEL FOR selinux ON TABLE mytable IS \*(Aqsystem_u:object_r:sepgsql_table_t:s0\*(Aq; +.fi +.if n \{\ +.RE +.\} +.sp +To remove the label: +.sp +.if n \{\ +.RS 4 +.\} +.nf +SECURITY LABEL FOR selinux ON TABLE mytable IS NULL; +.fi +.if n \{\ +.RE +.\} +.sp +.SH "COMPATIBILITY" +.PP +There is no +\fBSECURITY LABEL\fR +command in the SQL standard\&. +.SH "SEE ALSO" +sepgsql, src/test/modules/dummy_seclabel |