Provided by: libpam-modules_0.99.7.1-5ubuntu6_i386 bug

NAME

       namespace.conf - the namespace configuration file

DESCRIPTION

       This  module  allows  setup of private namespaces with polyinstantiated
       directories. Directories can be polyinstantiated based on user name or,
       in  the  case  of  SELinux,  user name, security context or both. If an
       executable script /etc/security/namespace.init exists, it  is  used  to
       initialize  the namespace every time a new instance directory is setup.
       The  script  receives  the  polyinstantiated  directory  path  and  the
       instance directory path as its arguments.

       The  /etc/security/namespace.conf  file specifies which directories are
       polyinstantiated,  how  they   are   polyinstantiated,   how   instance
       directories  would  be  named, and any users for whom polyinstantiation
       would not be performed.

       When someone logs in, the file namespace.conf is scanned where each non
       comment  line  represents  one  polyinstantiated  directory  with space
       separated fields as follows:

        polydir   instance_prefix   method   list_of_uids

       The first field, polydir, is the absolute pathname of the directory  to
       polyinstantiate.  Special  entry $HOME is supported to designate user’s
       home directory. This field cannot be blank.

       The second field, instance_prefix is the string prefix  used  to  build
       the pathname for the instantiation of <polydir>. The directory security
       context, or optionally  its  md5sum  string  (32  hex  characters),  is
       appended  to  the prefix to generate the final instance directory path.
       This directory is created if it did not exist already, and is then bind
       mounted  on  the <polydir> to provide an instance of <polydir> based on
       the <method> column. The special string  $HOME  is  replaced  with  the
       user’s  home  directory, and $USER with the username. This field cannot
       be blank. The directory where  polyinstantiated  instances  are  to  be
       created,  must  exist  and  must have, by default, the mode of 000. The
       requirement that the instance parent be of mode 000 can  be  overridden
       with the command line option <ignore_instance_parent_mode>

       The  third  field, method, is the method used for polyinstantiation. It
       can take 3 different values; "user" for polyinstantiation based on user
       name,   "context"  for  polyinstantiation  based  on  process  security
       context, and "both" for polyinstantiation based on both user  name  and
       security  context. Methods "context" and "both" are only available with
       SELinux. This field cannot be blank.

       The fourth field, list_of_uids, is a comma separated list of user names
       for  whom  the  polyinstantiation  is  not  performed.  If  left blank,
       polyinstantiation will be performed for all users.

EXAMPLES

       These  are  some  example   lines   which   might   be   specified   in
       /etc/security/namespace.conf.

             # The following three lines will polyinstantiate /tmp,
             # /var/tmp and user’s home directories. /tmp and /var/tmp
             # will be polyinstantiated based on both security context
             # as well as user name, whereas home directory will be
             # polyinstantiated based on security context only.
             # Polyinstantiation will not be performed for user root
             # and adm for directories /tmp and /var/tmp, whereas home
             # directories will be polyinstantiated for all users.
             #
             # Note that instance directories do not have to reside inside
             # the polyinstantiated directory. In the examples below,
             # instances of /tmp will be created in /tmp-inst directory,
             # where as instances of /var/tmp and users home directories
             # will reside within the directories that are being
             # polyinstantiated.
             #
             /tmp     /tmp-inst/          both      root,adm
             /var/tmp /var/tmp/tmp-inst/       both      root,adm
             $HOME    $HOME/$USER.inst/inst- context

       For  the  <service>s you need polyinstantiation (login for example) put
       the following line in /etc/pam.d/<service> as the last line for session
       group:

       session required pam_namespace.so [arguments]

       This module also depends on pam_selinux.so setting the context.

SEE ALSO

        pam_namespace(8), pam.d(5), pam(8)

AUTHORS

       The   namespace.conf   manual   page   was   written   by  Janak  Desai
       <janak@us.ibm.com>.

                                                             NAMESPACE.CONF(5)