From 16115b0a7b7cdf08fb38084d857d572d8a9088dc Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Thu, 24 Jul 2014 10:40:28 +0200 Subject: socket: introduce SELinuxContextFromNet option This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore --- man/systemd.socket.xml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'man/systemd.socket.xml') diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 7a63348caf..dad0267467 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -675,6 +675,32 @@ for details. + + SELinuxContextFromNet= + Takes a boolean + argument. When true systemd will attempt + to figure out the SELinux label used + for the instantiated service from the + information handed by the peer over the + network. Note that only the security + level is used from the information + provided by the peer. Other parts of + the resulting SELinux context originate + from either the target binary that is + effectively triggered by socket unit + are taken from the value of the + SELinuxContext= + option.This configuration option only + affects sockets with + Accept= mode set to + true. Also note that + this option is useful only when + MLS/MCS SELinux policy is + deployed. Defaults to + false. + + + PipeSize= Takes a size in -- cgit v1.2.3-54-g00ecf