nspawn,man: use a common vocabulary when referring to selinux security contexts

[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index e213ec4f3ce48a6f117a78aaa3f78758bc48c5f1..f4caccdd23ada352ab2f8c36c50c888a252aa7cc 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -295,9 +295,11 @@
                                  for the assignment.</para>
  
                                  <para>Example:
                                  for the assignment.</para>
  
                                  <para>Example:
-                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
+                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
                                  gives three variables <literal>VAR1</literal>,
                                  gives three variables <literal>VAR1</literal>,
-                                <literal>VAR2</literal>, <literal>VAR3</literal>.
+                                <literal>VAR2</literal>, <literal>VAR3</literal>
+                                with the values <literal>word1 word2</literal>,
+                                <literal>word3</literal>, <literal>$word 5 6</literal>.
                                  </para>
  
                                  <para>
                                  </para>
  
                                  <para>
@@ -846,9 +848,9 @@
                                  system namespace for the executed
                                  processes and mounts private
                                  <filename>/tmp</filename> and
                                  system namespace for the executed
                                  processes and mounts private
                                  <filename>/tmp</filename> and
-                                <filename>/var/tmp</filename> directories
-                                inside it, that are not shared by
-                                processes outside of the
+                                <filename>/var/tmp</filename>
+                                directories inside it that is not
+                                shared by processes outside of the
                                  namespace. This is useful to secure
                                  access to temporary files of the
                                  process, but makes sharing between
                                  namespace. This is useful to secure
                                  access to temporary files of the
                                  process, but makes sharing between
@@ -856,9 +858,17 @@
                                  <filename>/tmp</filename> or
                                  <filename>/var/tmp</filename>
                                  impossible. All temporary data created
                                  <filename>/tmp</filename> or
                                  <filename>/var/tmp</filename>
                                  impossible. All temporary data created
-                                by service will be removed after service
-                                is stopped. Defaults to
-                                false.</para></listitem>
+                                by service will be removed after
+                                the service is stopped. Defaults to
+                                false. Note that it is possible to run
+                                two or more units within the same
+                                private <filename>/tmp</filename> and
+                                <filename>/var/tmp</filename>
+                                namespace by using the
+                                <varname>JoinsNamespaceOf=</varname>
+                                directive, see
+                                <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                                for details.</para></listitem>
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
@@ -874,6 +884,30 @@
                                  available to the executed process.
                                  This is useful to securely turn off
                                  network access by the executed
                                  available to the executed process.
                                  This is useful to securely turn off
                                  network access by the executed
+                                process. Defaults to false. Note that
+                                it is possible to run two or more
+                                units within the same private network
+                                namespace by using the
+                                <varname>JoinsNamespaceOf=</varname>
+                                directive, see
+                                <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                                for details.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>PrivateDevices=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true, sets up a new /dev
+                                namespace for the executed processes
+                                and only adds API pseudo devices such
+                                as <filename>/dev/null</filename>,
+                                <filename>/dev/zero</filename> or
+                                <filename>/dev/random</filename> to
+                                it, but no physical devices such as
+                                <filename>/dev/sda</filename>. This is
+                                useful to securely turn off physical
+                                device access by the executed
                                  process. Defaults to
                                  false.</para></listitem>
                          </varlistentry>
                                  process. Defaults to
                                  false.</para></listitem>
                          </varlistentry>
@@ -916,6 +950,23 @@
                                  this service.</para></listitem>
                          </varlistentry>
  
                                  this service.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>SELinuxContext=</varname></term>
+
+                                <listitem><para>Set the SELinux
+                                security context of the executed
+                                process. If set, this will override
+                                the automated domain
+                                transition. However, the policy still
+                                needs to autorize the transition. This
+                                directive is ignored if SELinux is
+                                disabled. If prefixed by
+                                <literal>-</literal>, all errors will
+                                be ignored. See
+                                <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                                for details.</para></listitem>
+                        </varlistentry>
+
                          <varlistentry>
                                  <term><varname>IgnoreSIGPIPE=</varname></term>
  
                          <varlistentry>
                                  <term><varname>IgnoreSIGPIPE=</varname></term>
  
@@ -1027,7 +1078,7 @@
  
                                  <listitem><para>User name (twice), home
                                  directory, and the login shell.
  
                                  <listitem><para>User name (twice), home
                                  directory, and the login shell.
-                                Set for the units which
+                                The variables are set for the units that
                                  have <varname>User=</varname> set,
                                  which includes user
                                  <command>systemd</command> instances.
                                  have <varname>User=</varname> set,
                                  which includes user
                                  <command>systemd</command> instances.
@@ -1053,14 +1104,14 @@
                                  <term><varname>$XDG_VTNR</varname></term>
  
                                  <listitem><para>The identifier of the
                                  <term><varname>$XDG_VTNR</varname></term>
  
                                  <listitem><para>The identifier of the
-                                session, and the seat name, and
+                                session, the seat name, and
                                  virtual terminal of the session. Set
                                  by
                                  <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                  for login sessions.
                                  <varname>$XDG_SEAT</varname> and
                                  virtual terminal of the session. Set
                                  by
                                  <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                  for login sessions.
                                  <varname>$XDG_SEAT</varname> and
-                                <varname>$XDG_VTNR</varname> will be
-                                only set when attached to a seat and a
+                                <varname>$XDG_VTNR</varname> will
+                                only be set when attached to a seat and a
                                  tty.</para></listitem>
                          </varlistentry>
  
                                  tty.</para></listitem>
                          </varlistentry>