summaryrefslogtreecommitdiff
path: root/docs/podman-run.1.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/podman-run.1.md')
-rw-r--r--docs/podman-run.1.md15
1 files changed, 8 insertions, 7 deletions
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index 2445df566..447d4f282 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -665,11 +665,12 @@ Security Options
- `apparmor=unconfined` : Turn off apparmor confinement for the container
- `apparmor=your-profile` : Set the apparmor confinement profile for the container
-- `label=user:USER` : Set the label user for the container
-- `label=role:ROLE` : Set the label role for the container
-- `label=type:TYPE` : Set the label type for the container
-- `label=level:LEVEL` : Set the label level for the container
-- `label=disable` : Turn off label confinement for the container
+- `label=user:USER` : Set the label user for the container processes
+- `label=role:ROLE` : Set the label role for the container processes
+- `label=type:TYPE` : Set the label process type for the container processes
+- `label=level:LEVEL` : Set the label level for the container processes
+- `label=filetype:TYPE` : Set the label file type for the container files
+- `label=disable` : Turn off label separation for the container
- `no-new-privileges` : Disable container processes from gaining additional privileges
@@ -735,14 +736,14 @@ Note: if you use the `--network=host` option these sysctls will not be allowed.
Run container in systemd mode. The default is *true*.
-If the command you running inside of the container is systemd or init, podman
+If the command you are running inside of the container is systemd or init, podman
will setup tmpfs mount points in the following directories:
/run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
It will also set the default stop signal to SIGRTMIN+3.
-This allow systemd to run in a confined container without any modifications.
+This allows systemd to run in a confined container without any modifications.
Note: On `SELinux` systems, systemd attempts to write to the cgroup
file system. Containers writing to the cgroup file system are denied by default.