INITIAL
BEFORE_HTML
BEFORE_HEAD
IN_HEAD
IN_HEAD
GENERIC_RCDATA
GENERIC_RCDATA
GENERIC_RCDATA
GENERIC_RCDATA
IN_HEAD
IN_HEAD
AFTER_HEAD
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
I       pam_namespace — PAM module for configuring namespace for a session

   ══════════════════════════════════════════════════════════════════════════

DESCRIPTION

   The pam_namespace PAM module sets up a private namespace for a session
   with polyinstantiated directories. A polyinstantiated directory provides a
   different instance of itself based on user name, or when using SELinux,
   user name, security context or both. If an executable script
   /etc/security/namespace.init exists, it is used to initialize the instance
   directory after it is set up and mounted on the polyinstantiated
   directory. The script receives the polyinstantiated directory path, the
   instance directory path, flag whether the instance directory was newly
   created (0 for no, 1 for yes), and the user name as its arguments. The
   script is invoked with full root privileges and accessing the instance
   directory in this context needs to be done with caution, as it is
   controlled by the unprivileged user for which it has been created.

   If /etc/security/namespace.init does not exist,
   %vendordir%/security/namespace.init is the alternative to be used for it.

   The pam_namespace module disassociates the session namespace from the
   parent namespace. Any mounts/unmounts performed in the parent namespace,
   such as mounting of devices, are not reflected in the session namespace.
   To propagate selected mount/unmount events from the parent namespace into
   the disassociated session namespace, an administrator may use the special
   shared-subtree feature. For additional information on shared-subtree
   feature, please refer to the mount(8) man page and the shared-subtree
   description at http://lwn.net/Articles/159077 and
   http://lwn.net/Articles/159092.

OPTIONS

   debug

   A lot of debug information is logged using syslog

   unmnt_remnt

   For programs such as su and newrole, the login session has already setup a
   polyinstantiated namespace. For these programs, polyinstantiation is
   performed based on new user id or security context, however the command
   first needs to undo the polyinstantiation performed by login. This
   argument instructs the command to first undo previous polyinstantiation
   before proceeding with new polyinstantiation based on new id/context

   unmnt_only

   For trusted programs that want to undo any existing bind mounts and
   process instance directories on their own, this argument allows them to
   unmount currently mounted instance directories

   require_selinux

   If selinux is not enabled, return failure

   gen_hash

   Instead of using the security context string for the instance name,
   generate and use its md5 hash.

   ignore_config_error

   If a line in the configuration file corresponding to a polyinstantiated
   directory contains format error, skip that line process the next line.
   Without this option, pam will return an error to the calling program
   resulting in termination of the session.

   ignore_instance_parent_mode

   Instance parent directories by default are expected to have the
   restrictive mode of 000. Using this option, an administrator can choose to
   ignore the mode of the instance parent. This option should be used with
   caution as it will reduce security and isolation goals of the
   polyinstantiation mechanism.

   unmount_on_close

   Explicitly unmount the polyinstantiated directories instead of relying on
   automatic namespace destruction after the last process in a namespace
   exits. This option should be used only in case it is ensured by other
   means that there cannot be any processes running in the private namespace
   left after the session close. It is also useful only in case there are
   multiple pam session calls in sequence from the same process.

   use_current_context

   Useful for services which do not change the SELinux context with
   setexeccon call. The module will use the current SELinux context of the
   calling process for the level and context polyinstantiation.

   use_default_context

   Useful for services which do not use pam_selinux for changing the SELinux
   context with setexeccon call. The module will use the default SELinux
   context of the user for the level and context polyinstantiation.

   mount_private

   This option can be used on systems where the / mount point or its
   submounts are made shared (for example with a mount --make-rshared /
   command). The module will mark the whole directory tree so any mount and
   unmount operations in the polyinstantiation namespace are private.
   Normally the pam_namespace will try to detect the shared / mount point and
   make the polyinstantiated directories private automatically. This option
   has to be used just when only a subtree is shared and / is not.

   Note that mounts and unmounts done in the private namespace will not
   affect the parent namespace if this option is used or when the shared /
   mount point is autodetected.

DESCRIPTION

   The pam_namespace.so module allows setup of private namespaces with
   polyinstantiated directories. Directories can be polyinstantiated based on
   user name or, in the case of SELinux, user name, sensitivity level or
   complete security context. If an executable script
   /etc/security/namespace.init exists, it is used to initialize the
   namespace every time an instance directory is set up and mounted. The
   script receives the polyinstantiated directory path and the instance
   directory path as its arguments. The script is invoked with full root
   privileges and accessing the instance directory in this context needs to
   be done with caution, as it is controlled by the unprivileged user for
   which it has been created.

   The /etc/security/namespace.conf file specifies which directories are
   polyinstantiated, how they are polyinstantiated, how instance directories
   would be named, and any users for whom polyinstantiation would not be
   performed.

   The /etc/security/namespace.conf file ( or
   %vendordir%/security/namespace.conf if it does not exist) specifies which
   directories are polyinstantiated, how they are polyinstantiated, how
   instance directories would be named, and any users for whom
   polyinstantiation would not be performed. Then individual *.conf files
   from the /etc/security/namespace.d/ and %vendordir%/security/namespace.d
   directories are taken too. If /etc/security/namespace.d/@filename@.conf
   exists, then %vendordir%/security/namespace.d/@filename@.conf will not be
   used. All namespace.d/*.conf files are sorted by their @filename@.conf in
   lexicographic order regardless of which of the directories they reside in.

   When someone logs in, the file namespace.conf is scanned. Comments are
   marked by # characters. Each non comment line represents one
   polyinstantiated directory. The fields are separated by spaces but can be
   quoted by " characters also escape sequences \b, \n, and \t are
   recognized. The fields are as follows:

   polydir instance_prefix method list_of_uids

   The first field, polydir, is the absolute pathname of the directory to
   polyinstantiate. The special string $HOME is replaced with the user's home
   directory, and $USER with the username. This field cannot be blank.

   The second field, instance_prefix is the string prefix used to build the
   pathname for the instantiation of <polydir>. The path must end in a
   trailing slash, or in a directory prefix used to build the full
   per-instance path. Depending on the polyinstantiation method it is then
   appended with "instance differentiation string" to generate the final
   instance directory path. This directory is created if it did not exist
   already, and is then bind mounted on the <polydir> to provide an instance
   of <polydir> based on the <method> column. The special string $HOME is
   replaced with the user's home directory, and $USER with the username. This
   field cannot be blank.

   The third field, method, is the method used for polyinstantiation. It can
   take these values; "user" for polyinstantiation based on user name,
   "level" for polyinstantiation based on process MLS level and user name,
   "context" for polyinstantiation based on process security context and user
   name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and
   "tmpdir" for creating temporary directory as an instance dir which is
   removed when the user's session is closed. Methods "context" and "level"
   are only available with SELinux. This field cannot be blank.

   The fourth field, list_of_uids, is a comma separated list of user names
   for whom the polyinstantiation is not performed. If left blank,
   polyinstantiation will be performed for all users. If the list is preceded
   with a single "~" character, polyinstantiation is performed only for users
   in the list.

   The method field can contain also following optional flags separated by :
   characters.

   create=mode,owner,group - create the polyinstantiated directory. The mode,
   owner and group parameters are optional. The default for mode is
   determined by umask, the default owner is the user whose session is
   opened, the default group is the primary group of the user.

   iscript=path - path to the instance directory init script. The base
   directory for relative paths is /etc/security/namespace.d.

   noinit - instance directory init script will not be executed.

   shared - the instance directories for "context" and "level" methods will
   not contain the user name and will be shared among all users.

   mntopts=value - value of this flag is passed to the mount call when the
   tmpfs mount is done. It allows for example the specification of the
   maximum size of the tmpfs instance that is created by the mount call. In
   addition to options specified in the tmpfs(5) manual the nosuid, noexec,
   and nodev flags can be used to respectively disable setuid bit effect,
   disable running executables, and disable devices to be interpreted on the
   mounted tmpfs filesystem.

   The directory where polyinstantiated instances are to be created, must
   exist and must have, by default, the mode of 0000. The requirement that
   the instance parent be of mode 0000 can be overridden with the command
   line option ignore_instance_parent_mode

   In case of context or level polyinstantiation the SELinux context which is
   used for polyinstantiation is the context used for executing a new process
   as obtained by getexeccon. This context must be set by the calling
   application or pam_selinux.so module. If this context is not set the
   polyinstantiation will be based just on user name.

   The "instance differentiation string" is <user name> for "user" method and
   <user name>_<raw directory context> for "context" and "level" methods. If
   the whole string is too long the end of it is replaced with md5sum of
   itself. Also when command line option gen_hash is used the whole string is
   replaced with md5sum of itself.

EXAMPLES

   These are some example lines which might be specified in
   /etc/security/namespace.conf.

         # The following three lines will polyinstantiate /tmp,
         # /var/tmp and user's home directories. /tmp and /var/tmp
         # will be polyinstantiated based on the security level
         # as well as user name, whereas home directory will be
         # polyinstantiated based on the full security context and user name.
         # Polyinstantiation will not be performed for user root
         # and adm for directories /tmp and /var/tmp, whereas home
         # directories will be polyinstantiated for all users.
         #
         # Note that instance directories do not have to reside inside
         # the polyinstantiated directory. In the examples below,
         # instances of /tmp will be created in /tmp-inst directory,
         # where as instances of /var/tmp and users home directories
         # will reside within the directories that are being
         # polyinstantiated.
         #
         /tmp     /tmp-inst/               level      root,adm
         /var/tmp /var/tmp/tmp-inst/    level      root,adm
         $HOME    $HOME/$USER.inst/inst- context
       

   For the <service>s you need polyinstantiation (login for example) put the
   following line in /etc/pam.d/<service> as the last line for session group:

   session required pam_namespace.so [arguments]

   This module also depends on pam_selinux.so setting the context.
N_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
AFTER_BODY
AFTER_AFTER_BODY
AFTER_AFTER_BODY
