On 27 March 2013 14:50, Robert Haas <robertmh...@gmail.com> wrote: > On Wed, Mar 27, 2013 at 9:09 AM, Thom Brown <t...@linux.com> wrote: >> Perhaps something along the lines of: >> >> "When a CREATE FUNCTION command is executed, the install permission >> will be checked to determine whether the LEAKPROOF attribute was >> present. This permission will also be checked when the user tries to >> apply the LEAKPROOF attribute using the ALTER FUNCTION command." >> >> I'm not sure what the last part is actually describing ("with setattr >> permission on the function being altered."), so I'm not sure how that >> should be read. It doesn't help that I'm not familiar with SELinux >> terms. > > Right, so what it's trying to say is: whenever you modify an object, > we check whether you've got {setattr} permission for that object and > disallow the operation if not. However, for some operations on some > object types, {setattr} is necessary but not sufficient. The > paragraph is recapping, for various cases, which operations require > additional permissions, and what those additional things are. > >> I was really just thinking of CREATE and LEAKPROOF, but I'm not sure >> "CREATE" should be in there anyway. > > create here is referring to the sepgsql permission, not the SQL > command, so it's correct as-is.
My bad. -- Thom -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers