chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
util: drop parse_user_at_host() since its unused now
[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 8c44071d533a5b8b651218ceb65d6006fe1c88c6..f4caccdd23ada352ab2f8c36c50c888a252aa7cc 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -295,9 +295,11 @@
                                 for the assignment.</para>
 
                                 <para>Example:
                                 for the assignment.</para>
 
                                 <para>Example:
-                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
+                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
                                 gives three variables <literal>VAR1</literal>,
                                 gives three variables <literal>VAR1</literal>,
-                                <literal>VAR2</literal>, <literal>VAR3</literal>.
+                                <literal>VAR2</literal>, <literal>VAR3</literal>
+                                with the values <literal>word1 word2</literal>,
+                                <literal>word3</literal>, <literal>$word 5 6</literal>.
                                 </para>
 
                                 <para>
                                 </para>
 
                                 <para>
@@ -846,9 +848,9 @@
                                 system namespace for the executed
                                 processes and mounts private
                                 <filename>/tmp</filename> and
                                 system namespace for the executed
                                 processes and mounts private
                                 <filename>/tmp</filename> and
-                                <filename>/var/tmp</filename> directories
-                                inside it, that are not shared by
-                                processes outside of the
+                                <filename>/var/tmp</filename>
+                                directories inside it that is not
+                                shared by processes outside of the
                                 namespace. This is useful to secure
                                 access to temporary files of the
                                 process, but makes sharing between
                                 namespace. This is useful to secure
                                 access to temporary files of the
                                 process, but makes sharing between
@@ -856,9 +858,17 @@
                                 <filename>/tmp</filename> or
                                 <filename>/var/tmp</filename>
                                 impossible. All temporary data created
                                 <filename>/tmp</filename> or
                                 <filename>/var/tmp</filename>
                                 impossible. All temporary data created
-                                by service will be removed after service
-                                is stopped. Defaults to
-                                false.</para></listitem>
+                                by service will be removed after
+                                the service is stopped. Defaults to
+                                false. Note that it is possible to run
+                                two or more units within the same
+                                private <filename>/tmp</filename> and
+                                <filename>/var/tmp</filename>
+                                namespace by using the
+                                <varname>JoinsNamespaceOf=</varname>
+                                directive, see
+                                <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                                for details.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -874,6 +884,30 @@
                                 available to the executed process.
                                 This is useful to securely turn off
                                 network access by the executed
                                 available to the executed process.
                                 This is useful to securely turn off
                                 network access by the executed
+                                process. Defaults to false. Note that
+                                it is possible to run two or more
+                                units within the same private network
+                                namespace by using the
+                                <varname>JoinsNamespaceOf=</varname>
+                                directive, see
+                                <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                                for details.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>PrivateDevices=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true, sets up a new /dev
+                                namespace for the executed processes
+                                and only adds API pseudo devices such
+                                as <filename>/dev/null</filename>,
+                                <filename>/dev/zero</filename> or
+                                <filename>/dev/random</filename> to
+                                it, but no physical devices such as
+                                <filename>/dev/sda</filename>. This is
+                                useful to securely turn off physical
+                                device access by the executed
                                 process. Defaults to
                                 false.</para></listitem>
                         </varlistentry>
                                 process. Defaults to
                                 false.</para></listitem>
                         </varlistentry>
@@ -916,6 +950,23 @@
                                 this service.</para></listitem>
                         </varlistentry>
 
                                 this service.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>SELinuxContext=</varname></term>
+
+                                <listitem><para>Set the SELinux
+                                security context of the executed
+                                process. If set, this will override
+                                the automated domain
+                                transition. However, the policy still
+                                needs to autorize the transition. This
+                                directive is ignored if SELinux is
+                                disabled. If prefixed by
+                                <literal>-</literal>, all errors will
+                                be ignored. See
+                                <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                                for details.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><varname>IgnoreSIGPIPE=</varname></term>
 
                         <varlistentry>
                                 <term><varname>IgnoreSIGPIPE=</varname></term>
 
Unnamed repository; edit this file 'description' to name the repository.