The engmgr role
For this example, insert values into the projstatus database
by using the engmgr role. By default, the insert command uses the
security label of the inserter. Also _sec_label does not automatically
expand from the asterisk, you must specifically request it.
MLSSAMPLE.SCH(DBA)=> \c mlssample engmgr emem
You are now connected to database mlssample as user engmgr.
MLSSAMPLE.SCH(ENGMGR)=> INSERT INTO projstatus VALUES (1, 'Secret
Project', 105);
INSERT 0 1
MLSSAMPLE.SCH(ENGMGR)=> SELECT *, _SEC_LABEL FROM projstatus;
ID | NAME | METRIC | _SEC_LABEL
----+----------------+--------+----------------------
1 | Secret Project | 105 | SECRET:RED,GREEN:ENG
(1 row)
The next example explicitly enters a label, which
is allowed because the engmgr has Label Expand permission, which allows
insertion of a label less restrictive than their own
MLSSAMPLE.SCH(ENGMGR)=> INSERT INTO projstatus(id,name,metric,_SEC_LABEL)
VALUES (2, 'Project Red', 113) 'confidential:red:eng');
INSERT 0 1
The next example explicitly enters a label that
sw1 can see.
MLSSAMPLE.SCH(ENGMGR)=> INSERT INTO projstatus(id,name,metric,_SEC_LABEL)
VALUES (3, 'Project Green', 113) 'confidential:green:eng');
INSERT 0 1
The next example fails because sw is a subset of
eng, making it a more restrictive label. This would be allowed if
engmgr had Label Restrict permission.
MLSSAMPLE.SCH(ENGMGR)=> INSERT INTO projstatus(id,name,metric,_SEC_LABEL)
VALUES (4, 'Manhattan', 102) 'secret:red:sw');
ERROR: Security Label : Permission denied.
The next example fails because the
category name does not exist.
MLSSAMPLE.SCH(ENGMGR)=> INSERT INTO projstatus(id,name,metric,_SEC_LABEL)
VALUES (4, 'General', 164) 'confidential:eng');
ERROR: Security Label : Category name does not exist.
Use select to see the results.
MLSSAMPLE.SCH(ENGMGR)=> SELECT *, _SEC_LABEL FROM projstatus;
ID | NAME | METRIC | _SEC_LABEL
----+----------------+--------+------------------------
3 | Project Green | 113 | CONFIDENTIAL:GREEN:ENG
1 | Secret Project | 105 | SECRET:RED,GREEN:ENG
2 | Project Red | 113 | CONFIDENTIAL:RED:ENG
(3 rows)