Mini Shell
'\" t
.\" Title: SECURITY LABEL
.\" Author: The PostgreSQL Global Development Group
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2017-11-06
.\" Manual: PostgreSQL 9.2.24 Documentation
.\" Source: PostgreSQL 9.2.24
.\" Language: English
.\"
.TH "SECURITY LABEL" "7" "2017-11-06" "PostgreSQL 9.2.24" "PostgreSQL 9.2.24 Documentation"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
SECURITY_LABEL \- define or change a security label applied to an object
.\" SECURITY LABEL
.SH "SYNOPSIS"
.sp
.nf
SECURITY LABEL [ FOR \fIprovider\fR ] ON
{
TABLE \fIobject_name\fR |
COLUMN \fItable_name\fR\&.\fIcolumn_name\fR |
AGGREGATE \fIagg_name\fR (\fIagg_type\fR [, \&.\&.\&.] ) |
DATABASE \fIobject_name\fR |
DOMAIN \fIobject_name\fR |
FOREIGN TABLE \fIobject_name\fR
FUNCTION \fIfunction_name\fR ( [ [ \fIargmode\fR ] [ \fIargname\fR ] \fIargtype\fR [, \&.\&.\&.] ] ) |
LARGE OBJECT \fIlarge_object_oid\fR |
[ PROCEDURAL ] LANGUAGE \fIobject_name\fR |
ROLE \fIobject_name\fR |
SCHEMA \fIobject_name\fR |
SEQUENCE \fIobject_name\fR |
TABLESPACE \fIobject_name\fR |
TYPE \fIobject_name\fR |
VIEW \fIobject_name\fR
} IS \*(Aq\fIlabel\fR\*(Aq
.fi
.SH "DESCRIPTION"
.PP
\fBSECURITY LABEL\fR
applies a security label to a database object\&. An arbitrary number of security labels, one per label provider, can be associated with a given database object\&. Label providers are loadable modules which register themselves by using the function
\fBregister_label_provider\fR\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
.PP
\fBregister_label_provider\fR
is not an SQL function; it can only be called from C code loaded into the backend\&.
.sp .5v
.RE
.PP
The label provider determines whether a given label is valid and whether it is permissible to assign that label to a given object\&. The meaning of a given label is likewise at the discretion of the label provider\&.
PostgreSQL
places no restrictions on whether or how a label provider must interpret security labels; it merely provides a mechanism for storing them\&. In practice, this facility is intended to allow integration with label\-based mandatory access control (MAC) systems such as
SE\-Linux\&. Such systems make all access control decisions based on object labels, rather than traditional discretionary access control (DAC) concepts such as users and groups\&.
.SH "PARAMETERS"
.PP
\fIobject_name\fR, \fItable_name\&.column_name\fR, \fIagg_name\fR, \fIfunction_name\fR
.RS 4
The name of the object to be labeled\&. Names of tables, aggregates, domains, foreign tables, functions, sequences, types, and views can be schema\-qualified\&.
.RE
.PP
\fIprovider\fR
.RS 4
The name of the provider with which this label is to be associated\&. The named provider must be loaded and must consent to the proposed labeling operation\&. If exactly one provider is loaded, the provider name may be omitted for brevity\&.
.RE
.PP
\fIarg_type\fR
.RS 4
An input data type on which the aggregate function operates\&. To reference a zero\-argument aggregate function, write
*
in place of the list of input data types\&.
.RE
.PP
\fIargmode\fR
.RS 4
The mode of a function argument:
IN,
OUT,
INOUT, or
VARIADIC\&. If omitted, the default is
IN\&. Note that
\fBSECURITY LABEL ON FUNCTION\fR
does not actually pay any attention to
OUT
arguments, since only the input arguments are needed to determine the function\*(Aqs identity\&. So it is sufficient to list the
IN,
INOUT, and
VARIADIC
arguments\&.
.RE
.PP
\fIargname\fR
.RS 4
The name of a function argument\&. Note that
\fBSECURITY LABEL ON FUNCTION\fR
does not actually pay any attention to argument names, since only the argument data types are needed to determine the function\*(Aqs identity\&.
.RE
.PP
\fIargtype\fR
.RS 4
The data type(s) of the function\*(Aqs arguments (optionally schema\-qualified), if any\&.
.RE
.PP
\fIlarge_object_oid\fR
.RS 4
The OID of the large object\&.
.RE
.PP
PROCEDURAL
.RS 4
This is a noise word\&.
.RE
.PP
\fIlabel\fR
.RS 4
The new security label, written as a string literal; or
NULL
to drop the security label\&.
.RE
.SH "EXAMPLES"
.PP
The following example shows how the security label of a table might be changed\&.
.sp
.if n \{\
.RS 4
.\}
.nf
SECURITY LABEL FOR selinux ON TABLE mytable IS \*(Aqsystem_u:object_r:sepgsql_table_t:s0\*(Aq;
.fi
.if n \{\
.RE
.\}
.SH "COMPATIBILITY"
.PP
There is no
\fBSECURITY LABEL\fR
command in the SQL standard\&.
.SH "SEE ALSO"
sepgsql, dummy_seclabel
Zerion Mini Shell 1.0