X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=f4caccdd23ada352ab2f8c36c50c888a252aa7cc;hp=17748d4066cf21561aae03fe3e7f0c39e9b4ab9b;hb=82adf6af7c72b852449346835f33184a841b4796;hpb=e0e009c067aa7237f9683c46e5845bbb11ec67c2

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 17748d406..f4caccdd2 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -295,9 +295,11 @@
                                 for the assignment.</para>
 
                                 <para>Example:
-                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
+                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
                                 gives three variables <literal>VAR1</literal>,
-                                <literal>VAR2</literal>, <literal>VAR3</literal>.
+                                <literal>VAR2</literal>, <literal>VAR3</literal>
+                                with the values <literal>word1 word2</literal>,
+                                <literal>word3</literal>, <literal>$word 5 6</literal>.
                                 </para>
 
                                 <para>
@@ -892,6 +894,24 @@
                                 for details.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>PrivateDevices=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true, sets up a new /dev
+                                namespace for the executed processes
+                                and only adds API pseudo devices such
+                                as <filename>/dev/null</filename>,
+                                <filename>/dev/zero</filename> or
+                                <filename>/dev/random</filename> to
+                                it, but no physical devices such as
+                                <filename>/dev/sda</filename>. This is
+                                useful to securely turn off physical
+                                device access by the executed
+                                process. Defaults to
+                                false.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><varname>MountFlags=</varname></term>
 
@@ -930,6 +950,23 @@
                                 this service.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>SELinuxContext=</varname></term>
+
+                                <listitem><para>Set the SELinux
+                                security context of the executed
+                                process. If set, this will override
+                                the automated domain
+                                transition. However, the policy still
+                                needs to autorize the transition. This
+                                directive is ignored if SELinux is
+                                disabled. If prefixed by
+                                <literal>-</literal>, all errors will
+                                be ignored. See
+                                <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                                for details.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><varname>IgnoreSIGPIPE=</varname></term>
 
