| 3 |
- |
1 |
# /etc/security/namespace.conf
|
|
|
2 |
#
|
|
|
3 |
# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
|
|
|
4 |
#
|
|
|
5 |
# Uncommenting the following three lines will polyinstantiate
|
|
|
6 |
# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
|
|
|
7 |
# be polyinstantiated based on the MLS level part of the security context as well as user
|
|
|
8 |
# name, Polyinstantion will not be performed for user root and adm for directories
|
|
|
9 |
# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
|
|
|
10 |
# The user name and context is appended to the instance prefix.
|
|
|
11 |
#
|
|
|
12 |
# Note that instance directories do not have to reside inside the
|
|
|
13 |
# polyinstantiated directory. In the examples below, instances of /tmp
|
|
|
14 |
# will be created in /tmp-inst directory, where as instances of /var/tmp
|
|
|
15 |
# and users home directories will reside within the directories that
|
|
|
16 |
# are being polyinstantiated.
|
|
|
17 |
#
|
|
|
18 |
# Instance parent directories must exist for the polyinstantiation
|
|
|
19 |
# mechanism to work. By default, they should be created with the mode
|
|
|
20 |
# of 000. pam_namespace module will enforce this mode unless it
|
|
|
21 |
# is explicitly called with an argument to ignore the mode of the
|
|
|
22 |
# instance parent. System administrators should use this argument with
|
|
|
23 |
# caution, as it will reduce security and isolation achieved by
|
|
|
24 |
# polyinstantiation.
|
|
|
25 |
#
|
|
|
26 |
#/tmp /tmp-inst/ level root,adm
|
|
|
27 |
#/var/tmp /var/tmp/tmp-inst/ level root,adm
|
|
|
28 |
#$HOME $HOME/$USER.inst/ level
|