diff --git a/doc/src/sgml/sepgsql.sgml b/doc/src/sgml/sepgsql.sgml
index e45c258ac89..68cc6078af2 100644
--- a/doc/src/sgml/sepgsql.sgml
+++ b/doc/src/sgml/sepgsql.sgml
@@ -345,42 +345,35 @@ $ sudo semodule -r sepgsql-regtest
For tables, db_table:select>, db_table:insert>,
- db_table:update> or db_table:delete> is
+ db_table:update> or db_table:delete> are
checked for all the referenced target tables depending on the kind of
- statement;
- in addition, db_table:select> is also checked for
- all the tables that contain the columns referenced in the
+ statement; in addition, db_table:select> is also checked for
+ all the tables that contain columns referenced in the
WHERE> or RETURNING> clause, as a data source
- of UPDATE>, and so on. For example, consider:
+ for UPDATE>, and so on.
+
+
+ Column-level permissions will also be checked for each referenced column.
+ db_column:select> is checked on not only the columns being
+ read using SELECT>, but those being referenced in other DML
+ statements; db_column:update> or db_column:insert>
+ will also be checked for columns being modified by UPDATE> or
+ INSERT>.
+
+
+
+ For example, consider:
UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
- In this case we must have db_table:select> in addition to
- db_table:update>, because t1.a> is referenced
- within the WHERE> clause. Column-level permissions will also be
- checked for each referenced column.
-
-
-
- For columns, db_column:select> is checked on
- not only the columns being read using SELECT>, but those being
- referenced in other DML statements.
- Of course, it also checks db_column:update> or
- db_column:insert> on columns being modified by
- UPDATE> or INSERT>.
-
-
-
-
-UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
-
- In this case, it checks db_column:update> on the column
- t1.x> being updated, db_column:{select update}>
- on the column t1.y> being updated and referenced, and
- db_column:select> on the column t1.z>, since that is
- only referenced in the WHERE> clause.
+ Here, db_column:update> will be checked for
+ t1.x>, since it is being updated,
+ db_column:{select update}> will be checked for
+ t1.y>, since it is both updated and referenced, and
+ db_column:select> will be checked for t1.z>, since
+ it is only referenced.
db_table:{select update}> will also be checked
at the table level.