конфигурация среды выполнения (Execution environment configuration)
MANDATORY ACCESS CONTROL
These options are only available for system services and are not
supported for services running in per-user instances of the
service manager.
SELinuxContext=
Set the SELinux security context of the executed process. If
set, this will override the automated domain transition.
However, the policy still needs to authorize the transition.
This directive is ignored if SELinux is disabled. If prefixed
by "-", all errors will be ignored. This does not affect
commands prefixed with "+". See setexeccon(3) for details.
AppArmorProfile=
Takes a profile name as argument. The process executed by the
unit will switch to this profile when started. Profiles must
already be loaded in the kernel, or the unit will fail. If
prefixed by "-", all errors will be ignored. This setting has
no effect if AppArmor is not enabled. This setting does not
affect commands prefixed with "+".
SmackProcessLabel=
Takes a SMACK64 security label as argument. The process
executed by the unit will be started under this label and
SMACK will decide whether the process is allowed to run or
not, based on it. The process will continue to run under the
label specified here unless the executable has its own
SMACK64EXEC label, in which case the process will transition
to run under that label. When not specified, the label that
systemd is running under is used. This directive is ignored
if SMACK is disabled.
The value may be prefixed by "-", in which case all errors
will be ignored. An empty value may be specified to unset
previous assignments. This does not affect commands prefixed
with "+".
