1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "NAMESPACE.CONF" 5 "" "" ""
.SH NAME
namespace.conf \- the namespace configuration file
.SH "DESCRIPTION"
.PP
This module allows setup of private namespaces with polyinstantiated directories\&. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, security context or both\&. If an executable script \fI/etc/security/namespace\&.init\fR exists, it is used to initialize the namespace every time a new instance directory is setup\&. The script receives the polyinstantiated directory path and the instance directory path as its arguments\&.
.PP
The \fI/etc/security/namespace\&.conf\fR file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\&.
.PP
When someone logs in, the file \fInamespace\&.conf\fR is scanned where each non comment line represents one polyinstantiated directory with space separated fields as follows:
.PP
\fIpolydir\fR \fI instance_prefix\fR \fI method\fR \fI list_of_uids\fR
.PP
The first field, \fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. Special entry $HOME is supported to designate user's home directory\&. This field cannot be blank\&.
.PP
The second field, \fIinstance_prefix\fR is the string prefix used to build the pathname for the instantiation of <polydir>\&. The directory security context, or optionally its md5sum string (32 hex characters), is appended to the prefix to generate the final instance directory path\&. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column\&. The special string $HOME is replaced with the user's home directory, and $USER with the username\&. This field cannot be blank\&. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000\&. The requirement that the instance parent be of mode 000 can be overridden with the command line option <ignore_instance_parent_mode>
.PP
The third field, \fImethod\fR, is the method used for polyinstantiation\&. It can take 3 different values; "user" for polyinstantiation based on user name, "context" for polyinstantiation based on process security context, and "both" for polyinstantiation based on both user name and security context\&. Methods "context" and "both" are only available with SELinux\&. This field cannot be blank\&.
.PP
The fourth field, \fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\&. If left blank, polyinstantiation will be performed for all users\&.
.SH "EXAMPLES"
.PP
These are some example lines which might be specified in \fI/etc/security/namespace\&.conf\fR\&.
.nf
# The following three lines will polyinstantiate /tmp,
# /var/tmp and user's home directories\&. /tmp and /var/tmp
# will be polyinstantiated based on both security context
# as well as user name, whereas home directory will be
# polyinstantiated based on security context only\&.
# Polyinstantiation will not be performed for user root
# and adm for directories /tmp and /var/tmp, whereas home
# directories will be polyinstantiated for all users\&.
#
# Note that instance directories do not have to reside inside
# the polyinstantiated directory\&. In the examples below,
# instances of /tmp will be created in /tmp\-inst directory,
# where as instances of /var/tmp and users home directories
# will reside within the directories that are being
# polyinstantiated\&.
#
/tmp /tmp\-inst/ both root,adm
/var/tmp /var/tmp/tmp\-inst/ both root,adm
$HOME $HOME/$USER\&.inst/inst\- context
.fi
.PP
For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/<service> as the last line for session group:
.PP
session required pam_namespace\&.so [arguments]
.PP
This module also depends on pam_selinux\&.so setting the context\&.
.SH "SEE ALSO"
.PP
\fBpam_namespace\fR(8), \fBpam\&.d\fR(5), \fBpam\fR(8)
.SH "AUTHORS"
.PP
The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&.
|
