table of contents
- stretch 9.6.12-0+deb9u1
SECURITY LABEL(7) | PostgreSQL 9.6.12 Documentation | SECURITY LABEL(7) |
NAME¶
SECURITY_LABEL - define or change a security label applied to an objectSYNOPSIS¶
SECURITY LABEL [ FOR provider ] ON { TABLE object_name | COLUMN table_name.column_name | AGGREGATE aggregate_name ( aggregate_signature ) | DATABASE object_name | DOMAIN object_name | EVENT TRIGGER object_name | FOREIGN TABLE object_name FUNCTION function_name ( [ [ argmode ] [ argname ] argtype [, ...] ] ) | LARGE OBJECT large_object_oid | MATERIALIZED VIEW object_name | [ PROCEDURAL ] LANGUAGE object_name | ROLE object_name | SCHEMA object_name | SEQUENCE object_name | TABLESPACE object_name | TYPE object_name | VIEW object_name } IS 'label' where aggregate_signature is: * | [ argmode ] [ argname ] argtype [ , ... ] | [ [ argmode ] [ argname ] argtype [ , ... ] ] ORDER BY [ argmode ] [ argname ] argtype [ , ... ]
DESCRIPTION¶
SECURITY LABEL applies a security label to a database object. An arbitrary number of security labels, one per label provider, can be associated with a given database object. Label providers are loadable modules which register themselves by using the function register_label_provider.Note
register_label_provider is not an SQL function; it can only be called from C code loaded into the backend.
The label provider determines whether a given label is valid and whether it is permissible to assign that label to a given object. The meaning of a given label is likewise at the discretion of the label provider. PostgreSQL places no restrictions on whether or how a label provider must interpret security labels; it merely provides a mechanism for storing them. In practice, this facility is intended to allow integration with label-based mandatory access control (MAC) systems such as SE-Linux. Such systems make all access control decisions based on object labels, rather than traditional discretionary access control (DAC) concepts such as users and groups.
PARAMETERS¶
object_nametable_name.column_name
aggregate_name
function_name
provider
argmode
argname
argtype
large_object_oid
PROCEDURAL
label
EXAMPLES¶
The following example shows how the security label of a table might be changed.SECURITY LABEL FOR selinux ON TABLE mytable IS 'system_u:object_r:sepgsql_table_t:s0';
COMPATIBILITY¶
There is no SECURITY LABEL command in the SQL standard.SEE ALSO¶
sepgsql, src/test/modules/dummy_seclabel2019 | PostgreSQL 9.6.12 |