Provided by: libpam-modules_0.99.7.1-5ubuntu6_i386
namespace.conf - the namespace configuration file
This module allows setup of private namespaces with polyinstantiated
directories. Directories can be polyinstantiated based on user name or,
in the case of SELinux, user name, security context or both. If an
executable script /etc/security/namespace.init exists, it is used to
initialize the namespace every time a new instance directory is setup.
The script receives the polyinstantiated directory path and the
instance directory path as its arguments.
The /etc/security/namespace.conf file specifies which directories are
polyinstantiated, how they are polyinstantiated, how instance
directories would be named, and any users for whom polyinstantiation
would not be performed.
When someone logs in, the file namespace.conf is scanned where each non
comment line represents one polyinstantiated directory with space
separated fields as follows:
polydir instance_prefix method list_of_uids
The first field, polydir, is the absolute pathname of the directory to
polyinstantiate. Special entry $HOME is supported to designate user’s
home directory. This field cannot be blank.
The second field, instance_prefix is the string prefix used to build
the pathname for the instantiation of <polydir>. The directory security
context, or optionally its md5sum string (32 hex characters), is
appended to the prefix to generate the final instance directory path.
This directory is created if it did not exist already, and is then bind
mounted on the <polydir> to provide an instance of <polydir> based on
the <method> column. The special string $HOME is replaced with the
user’s home directory, and $USER with the username. This field cannot
be blank. The directory where polyinstantiated instances are to be
created, must exist and must have, by default, the mode of 000. The
requirement that the instance parent be of mode 000 can be overridden
with the command line option <ignore_instance_parent_mode>
The third field, method, is the method used for polyinstantiation. It
can take 3 different values; "user" for polyinstantiation based on user
name, "context" for polyinstantiation based on process security
context, and "both" for polyinstantiation based on both user name and
security context. Methods "context" and "both" are only available with
SELinux. This field cannot be blank.
The fourth field, list_of_uids, is a comma separated list of user names
for whom the polyinstantiation is not performed. If left blank,
polyinstantiation will be performed for all users.
These are some example lines which might be specified in
# The following three lines will polyinstantiate /tmp,
# /var/tmp and user’s home directories. /tmp and /var/tmp
# will be polyinstantiated based on both security context
# as well as user name, whereas home directory will be
# polyinstantiated based on security context only.
# Polyinstantiation will not be performed for user root
# and adm for directories /tmp and /var/tmp, whereas home
# directories will be polyinstantiated for all users.
# Note that instance directories do not have to reside inside
# the polyinstantiated directory. In the examples below,
# instances of /tmp will be created in /tmp-inst directory,
# where as instances of /var/tmp and users home directories
# will reside within the directories that are being
/tmp /tmp-inst/ both root,adm
/var/tmp /var/tmp/tmp-inst/ both root,adm
$HOME $HOME/$USER.inst/inst- context
For the <service>s you need polyinstantiation (login for example) put
the following line in /etc/pam.d/<service> as the last line for session
session required pam_namespace.so [arguments]
This module also depends on pam_selinux.so setting the context.
pam_namespace(8), pam.d(5), pam(8)
The namespace.conf manual page was written by Janak Desai