PAM_NAMESPACE

The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared-subtree feature. For additional information on shared-subtree feature, please refer to the mount(8) man page and the shared-subtree description at http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.  

OPTIONS

debug

A lot of debug information is logged using syslog

unmnt_remnt

For programs such as su and newrole, the login session has already setup a polyinstantiated namespace. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context

unmnt_only

For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories

require_selinux

If selinux is not enabled, return failure

gen_hash

Instead of using the security context string for the instance name, generate and use its md5 hash.

ignore_config_error

If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line. Without this option, pam will return an error to the calling program resulting in termination of the session.

ignore_instance_parent_mode

Instance parent directories by default are expected to have the restrictive mode of 000. Using this option, an administrator can choose to ignore the mode of the instance parent. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism.

no_unmount_on_close

For certain trusted programs such as newrole, open session is called from a child process while the parent performs close session and pam end functions. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent.

use_current_context

Useful for services which do not change the SELinux context with setexeccon call. The module will use the current SELinux context of the calling process for the level and context polyinstantiation.

use_default_context

Useful for services which do not use pam_selinux for changing the SELinux context with setexeccon call. The module will use the default SELinux context of the user for the level and context polyinstantiation.

MODULE TYPES PROVIDED

Only the session module type is provided. The module must not be called from multithreaded processes.  

RETURN VALUES

PAM_SUCCESS

Namespace setup was successful.

PAM_SERVICE_ERR

Unexpected system error occurred while setting up namespace.

PAM_SESSION_ERR

Unexpected namespace configuration error occurred.

FILES

/etc/security/namespace.conf

Main configuration file

/etc/security/namespace.d

Directory for additional configuration files

/etc/security/namespace.init

Init script for instance directories

EXAMPLES

For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:

session required pam_namespace.so [arguments]

To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default:

/usr/sbin/gdm-safe-restart

This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the initialization script /etc/security/namespace.init to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided in the comment section of the instance initialization script /etc/security/namespace.init. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:

      1. Disable the use of font server by commenting out "FontPath"
         line in /etc/X11/xorg.conf. If you do want to use the font server
         then you will have to augment the instance initialization
         script to appropriately provide /tmp/.font-unix from the
         polyinstantiated /tmp.
      2. Ensure that the gdm service is setup to use pam_namespace,
         as described above, by modifying /etc/pam.d/gdm.
      3. Ensure that the display manager is configured to restart X server
         with each new session. This default setup can be verified by
         making sure that /usr/share/gdm/defaults.conf contains
         "AlwaysRestartServer=true", and it is not overridden by
         /etc/gdm/custom.conf.
    

SEE ALSO

namespace.conf(5), pam.d(5), mount(8), pam(7).  

AUTHORS

The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers. The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>. Additional improvements by Xavier Toth <txtoth@gmail.com> and Tomas Mraz <tmraz@redhat.com>.

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

MODULE TYPES PROVIDED

RETURN VALUES

FILES

EXAMPLES

SEE ALSO

AUTHORS