diff options
| author | Michal Sekletar <msekleta@redhat.com> | 2014-07-24 10:40:28 +0200 |
|---|---|---|
| committer | Michal Sekletar <msekleta@redhat.com> | 2014-09-19 12:32:06 +0200 |
| commit | 16115b0a7b7cdf08fb38084d857d572d8a9088dc (patch) | |
| tree | 2695c51cb8574ca2f1c6ea7bb90db11c4b5a88a2 /man/systemd.socket.xml | |
| parent | 863f3ce0d050f005839f6aa41fe7bac5478a7b5e (diff) | |
socket: introduce SELinuxContextFromNet option
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_mls_label derived from xinetd.
Reviewed-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'man/systemd.socket.xml')
| -rw-r--r-- | man/systemd.socket.xml | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 7a63348ca..dad026746 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -676,6 +676,32 @@ </varlistentry> <varlistentry> + <term><varname>SELinuxContextFromNet=</varname></term> + <listitem><para>Takes a boolean + argument. When true systemd will attempt + to figure out the SELinux label used + for the instantiated service from the + information handed by the peer over the + network. Note that only the security + level is used from the information + provided by the peer. Other parts of + the resulting SELinux context originate + from either the target binary that is + effectively triggered by socket unit + are taken from the value of the + <varname>SELinuxContext=</varname> + option.This configuration option only + affects sockets with + <varname>Accept=</varname> mode set to + <literal>true</literal>. Also note that + this option is useful only when + MLS/MCS SELinux policy is + deployed. Defaults to + <literal>false</literal>. + </para></listitem> + </varlistentry> + + <varlistentry> <term><varname>PipeSize=</varname></term> <listitem><para>Takes a size in bytes. Controls the pipe buffer size |