X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;ds=inline;f=man%2Fsystemd.exec.xml;h=f4caccdd23ada352ab2f8c36c50c888a252aa7cc;hb=82adf6af7c72b852449346835f33184a841b4796;hp=e213ec4f3ce48a6f117a78aaa3f78758bc48c5f1;hpb=59fccd82117cf9a84454f41867a882f872916dc5;p=elogind.git
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index e213ec4f3..f4caccdd2 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -295,9 +295,11 @@
for the assignment.
Example:
- Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
+ Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
gives three variables VAR1,
- VAR2, VAR3.
+ VAR2, VAR3
+ with the values word1 word2,
+ word3, $word 5 6.
@@ -846,9 +848,9 @@
system namespace for the executed
processes and mounts private
/tmp and
- /var/tmp directories
- inside it, that are not shared by
- processes outside of the
+ /var/tmp
+ directories inside it that is not
+ shared by processes outside of the
namespace. This is useful to secure
access to temporary files of the
process, but makes sharing between
@@ -856,9 +858,17 @@
/tmp or
/var/tmp
impossible. All temporary data created
- by service will be removed after service
- is stopped. Defaults to
- false.
+ by service will be removed after
+ the service is stopped. Defaults to
+ false. Note that it is possible to run
+ two or more units within the same
+ private /tmp and
+ /var/tmp
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details.
@@ -874,6 +884,30 @@
available to the executed process.
This is useful to securely turn off
network access by the executed
+ process. Defaults to false. Note that
+ it is possible to run two or more
+ units within the same private network
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details.
+
+
+
+ PrivateDevices=
+
+ Takes a boolean
+ argument. If true, sets up a new /dev
+ namespace for the executed processes
+ and only adds API pseudo devices such
+ as /dev/null,
+ /dev/zero or
+ /dev/random to
+ it, but no physical devices such as
+ /dev/sda. This is
+ useful to securely turn off physical
+ device access by the executed
process. Defaults to
false.
@@ -916,6 +950,23 @@
this service.
+
+ SELinuxContext=
+
+ Set the SELinux
+ security context of the executed
+ process. If set, this will override
+ the automated domain
+ transition. However, the policy still
+ needs to autorize the transition. This
+ directive is ignored if SELinux is
+ disabled. If prefixed by
+ -, all errors will
+ be ignored. See
+ setexeccon3
+ for details.
+
+
IgnoreSIGPIPE=
@@ -1027,7 +1078,7 @@
User name (twice), home
directory, and the login shell.
- Set for the units which
+ The variables are set for the units that
have User= set,
which includes user
systemd instances.
@@ -1053,14 +1104,14 @@
$XDG_VTNR
The identifier of the
- session, and the seat name, and
+ session, the seat name, and
virtual terminal of the session. Set
by
pam_systemd8
for login sessions.
$XDG_SEAT and
- $XDG_VTNR will be
- only set when attached to a seat and a
+ $XDG_VTNR will
+ only be set when attached to a seat and a
tty.