# /etc/security/namespace.conf # # See /usr/share/doc/pam-*/txts/README.pam_namespace for more information. # # Uncommenting the following three lines will polyinstantiate # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will # be polyinstantiated based on the MLS level part of the security context as well as user # name, Polyinstantion will not be performed for user root and adm for directories # /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. # The user name and context is appended to the instance prefix. # # Note that instance directories do not have to reside inside the # polyinstantiated directory. In the examples below, instances of /tmp # will be created in /tmp-inst directory, where as instances of /var/tmp # and users home directories will reside within the directories that # are being polyinstantiated. # # Instance parent directories must exist for the polyinstantiation # mechanism to work. By default, they should be created with the mode # of 000. pam_namespace module will enforce this mode unless it # is explicitly called with an argument to ignore the mode of the # instance parent. System administrators should use this argument with # caution, as it will reduce security and isolation achieved by # polyinstantiation. The parent directories (except $HOME) are created # at boot by pam_namespace_helper, but in a live system, system # administrators should create the parent directories before enabling # them here. # #/tmp /tmp-inst/ level root,adm #/var/tmp /var/tmp/tmp-inst/ level root,adm #$HOME $HOME/$USER.inst/ level