1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<refentry id="namespace.conf">
<refmeta>
<refentrytitle>namespace.conf</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv>
<refname>namespace.conf</refname>
<refpurpose>the namespace configuration file</refpurpose>
</refnamediv>
<refsect1 id='namespace.conf-description'>
<title>DESCRIPTION</title>
<para>
This module allows setup of private namespaces with polyinstantiated
directories. Directories can be polyinstantiated based on user name
or, in the case of SELinux, user name, security context or both. If an
executable script <filename>/etc/security/namespace.init</filename>
exists, it is used to initialize the namespace every time a new instance
directory is setup. The script receives the polyinstantiated
directory path and the instance directory path as its arguments.
</para>
<para>
The <filename>/etc/security/namespace.conf</filename> file specifies
which directories are polyinstantiated, how they are polyinstantiated,
how instance directories would be named, and any users for whom
polyinstantiation would not be performed.
</para>
<para>
When someone logs in, the file <filename>namespace.conf</filename> is
scanned where each non comment line represents one polyinstantiated
directory with space separated fields as follows:
</para>
<para>
<replaceable>polydir</replaceable> <replaceable> instance_prefix</replaceable> <replaceable> method</replaceable> <replaceable> list_of_uids</replaceable>
</para>
<para>
The first field, <replaceable>polydir</replaceable>, is the absolute
pathname of the directory to polyinstantiate. Special entry $HOME is
supported to designate user's home directory. This field cannot be
blank.
</para>
<para>
The second field, <replaceable>instance_prefix</replaceable> is
the string prefix used to build the pathname for the instantiation
of <polydir>. The directory security context, or optionally its
md5sum string (32 hex characters), is appended to the prefix to
generate the final instance directory path. This directory is
created if it did not exist already, and is then bind mounted on the
<polydir> to provide an instance of <polydir> based on the
<method> column. The special string $HOME is replaced with the
user's home directory, and $USER with the username. This field cannot
be blank. The directory where polyinstantiated instances are to be
created, must exist and must have, by default, the mode of 000. The
requirement that the instance parent be of mode 000 can be overridden
with the command line option <ignore_instance_parent_mode>
</para>
<para>
The third field, <replaceable>method</replaceable>, is the method
used for polyinstantiation. It can take 3 different values; "user"
for polyinstantiation based on user name, "context" for
polyinstantiation based on process security context, and "both"
for polyinstantiation based on both user name and security context.
Methods "context" and "both" are only available with SELinux. This
field cannot be blank.
</para>
<para>
The fourth field, <replaceable>list_of_uids</replaceable>, is
a comma separated list of user names for whom the polyinstantiation
is not performed. If left blank, polyinstantiation will be performed
for all users.
</para>
</refsect1>
<refsect1 id="namespace.conf-examples">
<title>EXAMPLES</title>
<para>
These are some example lines which might be specified in
<filename>/etc/security/namespace.conf</filename>.
</para>
<literallayout>
# The following three lines will polyinstantiate /tmp,
# /var/tmp and user's home directories. /tmp and /var/tmp
# will be polyinstantiated based on both security context
# as well as user name, whereas home directory will be
# polyinstantiated based on security context only.
# Polyinstantiation will not be performed for user root
# and adm for directories /tmp and /var/tmp, whereas home
# directories will be polyinstantiated for all users.
#
# Note that instance directories do not have to reside inside
# the polyinstantiated directory. In the examples below,
# instances of /tmp will be created in /tmp-inst directory,
# where as instances of /var/tmp and users home directories
# will reside within the directories that are being
# polyinstantiated.
#
/tmp /tmp-inst/ both root,adm
/var/tmp /var/tmp/tmp-inst/ both root,adm
$HOME $HOME/$USER.inst/inst- context
</literallayout>
<para>
For the <service>s you need polyinstantiation (login for example)
put the following line in /etc/pam.d/<service> as the last line for
session group:
</para>
<para>
session required pam_namespace.so [arguments]
</para>
<para>
This module also depends on pam_selinux.so setting the context.
</para>
</refsect1>
<refsect1 id="namespace.conf-see_also">
<title>SEE ALSO</title>
<para>
<citerefentry><refentrytitle>pam_namespace</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
<refsect1 id="namespace.conf-author">
<title>AUTHORS</title>
<para>
The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>.
</para>
</refsect1>
</refentry>
|
