<varlistentry>
<term><varname>SyslogIdentifier=</varname></term>
<listitem><para>Sets the process name
- to prefix log lines sent to syslog or
- the kernel log buffer with. If not set,
- defaults to the process name of the
- executed process. This option is only
- useful when
+ to prefix log lines sent to the
+ logging system or the kernel log
+ buffer with. If not set, defaults to
+ the process name of the executed
+ process. This option is only useful
+ when
<varname>StandardOutput=</varname> or
<varname>StandardError=</varname> are
- set to <option>syslog</option> or
- <option>kmsg</option>.</para></listitem>
+ set to <option>syslog</option>,
+ <option>journal</option> or
+ <option>kmsg</option> (or to the same
+ settings in combination with
+ <option>+console</option>).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SyslogFacility=</varname></term>
<varname>infinity</varname> to
configure no limit on a specific
resource.</para></listitem>
+
+ <table>
+ <title>Limit directives and their equivalent with ulimit</title>
+
+ <tgroup cols='2'>
+ <colspec colname='directive' />
+ <colspec colname='equivalent' />
+ <thead>
+ <row>
+ <entry>Directive</entry>
+ <entry>ulimit equivalent</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>LimitCPU</entry>
+ <entry>ulimit -t</entry>
+ </row>
+ <row>
+ <entry>LimitFSIZE</entry>
+ <entry>ulimit -f</entry>
+ </row>
+ <row>
+ <entry>LimitDATA</entry>
+ <entry>ulimit -d</entry>
+ </row>
+ <row>
+ <entry>LimitSTACK</entry>
+ <entry>ulimit -s</entry>
+ </row>
+ <row>
+ <entry>LimitCORE</entry>
+ <entry>ulimit -c</entry>
+ </row>
+ <row>
+ <entry>LimitRSS</entry>
+ <entry>ulimit -m</entry>
+ </row>
+ <row>
+ <entry>LimitNOFILE</entry>
+ <entry>ulimit -n</entry>
+ </row>
+ <row>
+ <entry>LimitAS</entry>
+ <entry>ulimit -v</entry>
+ </row>
+ <row>
+ <entry>LimitNPROC</entry>
+ <entry>ulimit -u</entry>
+ </row>
+ <row>
+ <entry>LimitMEMLOCK</entry>
+ <entry>ulimit -l</entry>
+ </row>
+ <row>
+ <entry>LimitLOCKS</entry>
+ <entry>ulimit -x</entry>
+ </row>
+ <row>
+ <entry>LimitSIGPENDING</entry>
+ <entry>ulimit -i</entry>
+ </row>
+ <row>
+ <entry>LimitMSGQUEUE</entry>
+ <entry>ulimit -q</entry>
+ </row>
+ <row>
+ <entry>LimitNICE</entry>
+ <entry>ulimit -e</entry>
+ </row>
+ <row>
+ <entry>LimitRTPRIO</entry>
+ <entry>ulimit -r</entry>
+ </row>
+ <row>
+ <entry>LimitRTTIME</entry>
+ <entry>No equivalent</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>SecureBits=</varname></term>
<listitem><para>Controls the secure
- bits set for the executed process. See
- <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a list of strings:
+ bits set for the executed process.
+ Takes a space-separated combination of
+ options from the following list:
<option>keep-caps</option>,
<option>keep-caps-locked</option>,
<option>no-setuid-fixup</option>,
<option>no-setuid-fixup-locked</option>,
- <option>noroot</option> and/or
+ <option>noroot</option>, and
<option>noroot-locked</option>. This
option may appear more than once in
- which case the secure bits are
- ORed. If the empty string is assigned
- to this option, the bits are reset to
- 0.</para></listitem>
+ which case the secure bits are ORed.
+ If the empty string is assigned to
+ this option, the bits are reset to 0.
+ See <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details.</para></listitem>
</varlistentry>
<varlistentry>
attached to the executed file. Due to
that
<varname>CapabilityBoundingSet=</varname>
- is probably the much more useful
+ is probably a much more useful
setting.</para></listitem>
</varlistentry>
made inaccessible and empty for
processes invoked by this unit. If set
to <literal>read-only</literal>, the
- two directores are made read-only
+ two directories are made read-only
instead. It is recommended to enable
this setting for all long-running
services (in particular network-facing
namespace. Note that
<option>slave</option> means that file
systems mounted on the host might stay
- mounted continously in the unit's
+ mounted continuously in the unit's
namespace, and thus keep the device
busy. Note that the file system
namespace related options
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>SmackProcessLabel=</varname></term>
+
+ <listitem><para>Takes a
+ <option>SMACK64</option> security
+ label as argument. The process
+ executed by the unit will be started
+ under this label and SMACK will decide
+ whether the processes is allowed to
+ run or not based on it. The process
+ will continue to run under the label
+ specified here unless the executable
+ has its own
+ <option>SMACK64EXEC</option> label, in
+ which case the process will transition
+ to run under that label. When not
+ specified, the label that systemd is
+ running under is used. This directive
+ is ignored if SMACK is
+ disabled.</para>
+
+ <para>The value may be prefixed by
+ <literal>-</literal>, in which case
+ all errors will be ignored. An empty
+ value may be specified to unset
+ previous assignments.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>IgnoreSIGPIPE=</varname></term>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,