On Wed, Mar 27, 2013 at 9:09 AM, Thom Brown <t...@linux.com> wrote: > Perhaps something along the lines of: > > "When a CREATE FUNCTION command is executed, the install permission > will be checked to determine whether the LEAKPROOF attribute was > present. This permission will also be checked when the user tries to > apply the LEAKPROOF attribute using the ALTER FUNCTION command." > > I'm not sure what the last part is actually describing ("with setattr > permission on the function being altered."), so I'm not sure how that > should be read. It doesn't help that I'm not familiar with SELinux > terms.
Right, so what it's trying to say is: whenever you modify an object, we check whether you've got {setattr} permission for that object and disallow the operation if not. However, for some operations on some object types, {setattr} is necessary but not sufficient. The paragraph is recapping, for various cases, which operations require additional permissions, and what those additional things are. > I was really just thinking of CREATE and LEAKPROOF, but I'm not sure > "CREATE" should be in there anyway. create here is referring to the sepgsql permission, not the SQL command, so it's correct as-is. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers