diff options
Diffstat (limited to 'modules/pam_namespace/namespace.conf')
-rw-r--r-- | modules/pam_namespace/namespace.conf | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/modules/pam_namespace/namespace.conf b/modules/pam_namespace/namespace.conf new file mode 100644 index 0000000..75ec619 --- /dev/null +++ b/modules/pam_namespace/namespace.conf @@ -0,0 +1,31 @@ +# /etc/security/namespace.conf +# +# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information. +# +# Uncommenting the following three lines will polyinstantiate +# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will +# be polyinstantiated based on the MLS level part of the security context as well as user +# name, Polyinstantion will not be performed for user root and adm for directories +# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. +# The user name and context is appended to the instance prefix. +# +# Note that instance directories do not have to reside inside the +# polyinstantiated directory. In the examples below, instances of /tmp +# will be created in /tmp-inst directory, where as instances of /var/tmp +# and users home directories will reside within the directories that +# are being polyinstantiated. +# +# Instance parent directories must exist for the polyinstantiation +# mechanism to work. By default, they should be created with the mode +# of 000. pam_namespace module will enforce this mode unless it +# is explicitly called with an argument to ignore the mode of the +# instance parent. System administrators should use this argument with +# caution, as it will reduce security and isolation achieved by +# polyinstantiation. The parent directories (except $HOME) are created +# at boot by pam_namespace_helper, but in a live system, system +# administrators should create the parent directories before enabling +# them here. +# +#/tmp /tmp-inst/ level root,adm +#/var/tmp /var/tmp/tmp-inst/ level root,adm +#$HOME $HOME/$USER.inst/ level |