1 files changed, 28 insertions, 0 deletions

diff --git a/modules/pam_namespace/namespace.conf b/modules/pam_namespace/namespace.conf
new file mode 100644
index 00000000..f973225f
--- /dev/null
+++ b/modules/pam_namespace/namespace.conf
@@ -0,0 +1,28 @@
+# /etc/security/namespace.conf
+#
+# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
+#
+# Uncommenting the following three lines will polyinstantiate
+# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
+# be polyinstantiated based on the MLS level part of the security context as well as user
+# name, Polyinstantion will not be performed for user root and adm for directories 
+# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. 
+# The user name and context is appended to the instance prefix.
+#
+# Note that instance directories do not have to reside inside the
+# polyinstantiated directory. In the examples below, instances of /tmp
+# will be created in /tmp-inst directory, where as instances of /var/tmp
+# and users home directories will reside within the directories that
+# are being polyinstantiated.
+#
+# Instance parent directories must exist for the polyinstantiation
+# mechanism to work. By default, they should be created with the mode
+# of 000. pam_namespace module will enforce this mode unless it
+# is explicitly called with an argument to ignore the mode of the
+# instance parent. System administrators should use this argument with
+# caution, as it will reduce security and isolation achieved by
+# polyinstantiation.
+#
+#/tmp     /tmp-inst/       	level      root,adm
+#/var/tmp /var/tmp/tmp-inst/   	level      root,adm
+#$HOME    $HOME/$USER.inst/     level