4 SECURITY LABEL — define or change a security label applied to an object
8 SECURITY LABEL [ FOR provider ] ON
11 COLUMN table_name.column_name |
12 AGGREGATE aggregate_name ( aggregate_signature ) |
13 DATABASE object_name |
15 EVENT TRIGGER object_name |
16 FOREIGN TABLE object_name |
17 FUNCTION function_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |
18 LARGE OBJECT large_object_oid |
19 MATERIALIZED VIEW object_name |
20 [ PROCEDURAL ] LANGUAGE object_name |
21 PROCEDURE procedure_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |
22 PUBLICATION object_name |
24 ROUTINE routine_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |
26 SEQUENCE object_name |
27 SUBSCRIPTION object_name |
28 TABLESPACE object_name |
31 } IS { string_literal | NULL }
33 where aggregate_signature is:
36 [ argmode ] [ argname ] argtype [ , ... ] |
37 [ [ argmode ] [ argname ] argtype [ , ... ] ] ORDER BY [ argmode ] [ argname ] a
42 SECURITY LABEL applies a security label to a database object. An
43 arbitrary number of security labels, one per label provider, can be
44 associated with a given database object. Label providers are loadable
45 modules which register themselves by using the function
46 register_label_provider.
50 register_label_provider is not an SQL function; it can only be called
51 from C code loaded into the backend.
53 The label provider determines whether a given label is valid and
54 whether it is permissible to assign that label to a given object. The
55 meaning of a given label is likewise at the discretion of the label
56 provider. PostgreSQL places no restrictions on whether or how a label
57 provider must interpret security labels; it merely provides a mechanism
58 for storing them. In practice, this facility is intended to allow
59 integration with label-based mandatory access control (MAC) systems
60 such as SELinux. Such systems make all access control decisions based
61 on object labels, rather than traditional discretionary access control
62 (DAC) concepts such as users and groups.
64 You must own the database object to use SECURITY LABEL.
69 table_name.column_name
74 The name of the object to be labeled. Names of objects that
75 reside in schemas (tables, functions, etc.) can be
79 The name of the provider with which this label is to be
80 associated. The named provider must be loaded and must consent
81 to the proposed labeling operation. If exactly one provider is
82 loaded, the provider name may be omitted for brevity.
85 The mode of a function, procedure, or aggregate argument: IN,
86 OUT, INOUT, or VARIADIC. If omitted, the default is IN. Note
87 that SECURITY LABEL does not actually pay any attention to OUT
88 arguments, since only the input arguments are needed to
89 determine the function's identity. So it is sufficient to list
90 the IN, INOUT, and VARIADIC arguments.
93 The name of a function, procedure, or aggregate argument. Note
94 that SECURITY LABEL does not actually pay any attention to
95 argument names, since only the argument data types are needed to
96 determine the function's identity.
99 The data type of a function, procedure, or aggregate argument.
102 The OID of the large object.
105 This is a noise word.
108 The new setting of the security label, written as a string
112 Write NULL to drop the security label.
116 The following example shows how the security label of a table could be
118 SECURITY LABEL FOR selinux ON TABLE mytable IS 'system_u:object_r:sepgsql_table_
122 SECURITY LABEL FOR selinux ON TABLE mytable IS NULL;
126 There is no SECURITY LABEL command in the SQL standard.
130 sepgsql, src/test/modules/dummy_seclabel
begriffs.com / projects / ai-pg / blob