diff options
author | WaLyong Cho <walyong.cho@samsung.com> | 2014-11-24 20:46:20 +0900 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-11-24 10:20:53 -0500 |
commit | 2ca620c4ed28c01f285d869d0b22f22a360957da (patch) | |
tree | b4807e97bf97f36c5b28fbe84c96a34864e6b972 /man/systemd.exec.xml | |
parent | 8086ffacdb1bfec5ec115d24626538bda6cc372e (diff) |
smack: introduce new SmackProcessLabel option
In service file, if the file has some of special SMACK label in
ExecStart= and systemd has no permission for the special SMACK label
then permission error will occurred. To resolve this, systemd should
be able to set its SMACK label to something accessible of ExecStart=.
So introduce new SmackProcessLabel. If label is specified with
SmackProcessLabel= then the child systemd will set its label to
that. To successfully execute the ExecStart=, accessible label should
be specified with SmackProcessLabel=.
Additionally, by SMACK policy, if the file in ExecStart= has no
SMACK64EXEC then the executed process will have given label by
SmackProcessLabel=. But if the file has SMACK64EXEC then the
SMACK64EXEC label will be overridden.
[zj: reword man page]
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index e9af4abd6d..0747d0e1f9 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1138,6 +1138,35 @@ </varlistentry> <varlistentry> + <term><varname>SmackProcessLabel=</varname></term> + + <listitem><para>Takes a + <option>SMACK64</option> security + label as argument. The process + executed by the unit will be started + under this label and SMACK will decide + whether the processes is allowed to + run or not based on it. The process + will continue to run under the label + specified here unless the executable + has its own + <option>SMACK64EXEC</option> label, in + which case the process will transition + to run under that label. When not + specified, the label that systemd is + running under is used. This directive + is ignored if SMACK is + disabled.</para> + + <para>The value may be prefixed by + <literal>-</literal>, in which case + all errors will be ignored. An empty + value may be specified to unset + previous assignments.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><varname>IgnoreSIGPIPE=</varname></term> <listitem><para>Takes a boolean |