Skip to main content
Version: 1.0.16

SECURITY LABEL

SECURITY LABEL — Define or change a security label applied to an object

Synopsis

SECURITY LABEL [ FOR provider ] ON

{

TABLE object_name |

COLUMN table_name.column_name |

AGGREGATE aggregate_name ( aggregate_signature ) |

DATABASE object_name |

DOMAIN object_name |

EVENT TRIGGER object_name |

FOREIGN TABLE object_name

FUNCTION function_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |

LARGE OBJECT large_object_oid |

MATERIALIZED VIEW object_name |

[ PROCEDURAL ] LANGUAGE object_name |

PROCEDURE procedure_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |

PUBLICATION object_name |

ROLE object_name |

ROUTINE routine_name [ ( [ [ argmode ] [ argname ] argtype [, ...] ] ) ] |

SCHEMA object_name |

SEQUENCE object_name |

SUBSCRIPTION object_name |

TABLESPACE object_name |

TYPE object_name |

VIEW object_name

} IS 'label'

where aggregate_signature is:

* |

[ argmode ] [ argname ] argtype [ , ... ] |

[ [ argmode ] [ argname ] argtype [ , ... ] ] ORDER BY [ argmode ] [ argname

] argtype [ , ... ]

Description

SECURITY LABEL applies a security label to a database object. Any number of security labels (one per label provider) can be associated with a given database object. Label providers are loadable modules that register themselves using the function register_label_provider.

Note

register_label_provider is not a SQL function; it can only be called from C code loaded into the backend.

The label provider determines whether a given label is valid and whether it can be assigned to a given object. The meaning of a given label is likewise determined by the label provider. Halo does not impose any restrictions on whether or how a label provider must interpret security labels; it merely provides a mechanism for storing them. In practice, this feature is intended to allow integration with label-based mandatory access control (MAC) systems (such as SELinux). Such systems make all access control decisions based on object labels rather than traditional discretionary access control (DAC) concepts such as users and groups.

Parameters

object_name

table_name.column_name

aggregate_name

function_name

procedure_name

routine_name

The name of the object to be labeled. The names of tables, aggregates, domains, foreign tables, functions, procedures, routines, sequences, types, and views can be schema-qualified.

provider

The name of the provider associated with this label. The referenced provider must have been loaded and must agree with the proposed labeling operation. If exactly one provider is loaded, the provider name can be omitted for brevity.

argmode

The mode of a function, procedure, or aggregate argument: IN, OUT, INOUT, or VARIADIC. If omitted, the default is IN. Note that SECURITY LABEL does not actually care about OUT parameters, since only input parameters are needed to determine a function's identity. Therefore, listing IN, INOUT, and VARIADIC parameters is sufficient.

argname

The name of a function, procedure, or aggregate argument. Note that SECURITY LABEL does not actually care about argument names, since only the data types of the arguments are needed to determine a function's identity.

argtype

The data type of a function, procedure, or aggregate argument.

large_object_oid

The OID of the large object.

PROCEDURAL

This is a noise word.

label

The new security label, written as a string literal. Writing NULL removes the existing security label.

Examples

-- The following example shows how to change the security label of a table.

SECURITY LABEL FOR selinux ON TABLE mytable IS

'system_u:object_r:sepgsql_table_t:s0';

See Also

sepgsql