nspawn,man: use a common vocabulary when referring to selinux security contexts

[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index 2778497647e5dcaf75b77875e25ff14b748f8e7b..f4caccdd23ada352ab2f8c36c50c888a252aa7cc 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -295,9 +295,11 @@
                                  for the assignment.</para>
  
                                  <para>Example:
                                  for the assignment.</para>
  
                                  <para>Example:
-                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
+                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
                                  gives three variables <literal>VAR1</literal>,
                                  gives three variables <literal>VAR1</literal>,
-                                <literal>VAR2</literal>, <literal>VAR3</literal>.
+                                <literal>VAR2</literal>, <literal>VAR3</literal>
+                                with the values <literal>word1 word2</literal>,
+                                <literal>word3</literal>, <literal>$word 5 6</literal>.
                                  </para>
  
                                  <para>
                                  </para>
  
                                  <para>
@@ -847,7 +849,7 @@
                                  processes and mounts private
                                  <filename>/tmp</filename> and
                                  <filename>/var/tmp</filename>
                                  processes and mounts private
                                  <filename>/tmp</filename> and
                                  <filename>/var/tmp</filename>
-                                directories inside it that are not
+                                directories inside it that is not
                                  shared by processes outside of the
                                  namespace. This is useful to secure
                                  access to temporary files of the
                                  shared by processes outside of the
                                  namespace. This is useful to secure
                                  access to temporary files of the
@@ -857,7 +859,7 @@
                                  <filename>/var/tmp</filename>
                                  impossible. All temporary data created
                                  by service will be removed after
                                  <filename>/var/tmp</filename>
                                  impossible. All temporary data created
                                  by service will be removed after
-                                service is stopped. Defaults to
+                                the service is stopped. Defaults to
                                  false. Note that it is possible to run
                                  two or more units within the same
                                  private <filename>/tmp</filename> and
                                  false. Note that it is possible to run
                                  two or more units within the same
                                  private <filename>/tmp</filename> and
@@ -892,6 +894,24 @@
                                  for details.</para></listitem>
                          </varlistentry>
  
                                  for details.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>PrivateDevices=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true, sets up a new /dev
+                                namespace for the executed processes
+                                and only adds API pseudo devices such
+                                as <filename>/dev/null</filename>,
+                                <filename>/dev/zero</filename> or
+                                <filename>/dev/random</filename> to
+                                it, but no physical devices such as
+                                <filename>/dev/sda</filename>. This is
+                                useful to securely turn off physical
+                                device access by the executed
+                                process. Defaults to
+                                false.</para></listitem>
+                        </varlistentry>
+
                          <varlistentry>
                                  <term><varname>MountFlags=</varname></term>
  
                          <varlistentry>
                                  <term><varname>MountFlags=</varname></term>
  
@@ -930,6 +950,23 @@
                                  this service.</para></listitem>
                          </varlistentry>
  
                                  this service.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>SELinuxContext=</varname></term>
+
+                                <listitem><para>Set the SELinux
+                                security context of the executed
+                                process. If set, this will override
+                                the automated domain
+                                transition. However, the policy still
+                                needs to autorize the transition. This
+                                directive is ignored if SELinux is
+                                disabled. If prefixed by
+                                <literal>-</literal>, all errors will
+                                be ignored. See
+                                <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                                for details.</para></listitem>
+                        </varlistentry>
+
                          <varlistentry>
                                  <term><varname>IgnoreSIGPIPE=</varname></term>
  
                          <varlistentry>
                                  <term><varname>IgnoreSIGPIPE=</varname></term>