selinux: support infering SELinux label also from socket not connected to stdin

Fixes #19918
2026-04-14 00:14:32 +09:00 · 2021-06-29 17:10:27 +02:00
parent 7e4dcd2d1f
commit 49590d67c9
2 changed files with 22 additions and 9 deletions
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -629,10 +629,12 @@
         resulting SELinux context originate from either the target
         binary that is effectively triggered by socket unit or from
         the value of the <varname>SELinuxContext=</varname> option.
-         This configuration option only affects sockets with
-         <varname>Accept=</varname> mode set to
-         <literal>yes</literal>. Also note that this option is useful
-         only when MLS/MCS SELinux policy is deployed. Defaults to
+         This configuration option applies only when activated service
+         is passed in single socket file descriptor, i.e. service
+         instances that have standard input connected to a socket or
+         services triggered by exactly one socket unit. Also note
+         that this option is useful only when MLS/MCS SELinux policy
+         is deployed. Defaults to
         <literal>false</literal>. </para></listitem>
      </varlistentry>