Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 11. Configuring polyinstantiated directories


By default, all programs, services, and users use the /tmp, /var/tmp, and home directories for temporary storage. This makes these directories vulnerable to race condition attacks and information leaks based on file names. You can make /tmp/, /var/tmp/, and the home directory instantiated so that they are no longer shared between all users, and each user’s /tmp-inst and /var/tmp/tmp-inst is separately mounted to the /tmp and /var/tmp directory.

Procedure

  1. Enable polyinstantiation in SELinux:

    # setsebool -P allow_polyinstantiation 1

    You can verify that polyinstantiation is enabled in SELinux by entering the getsebool allow_polyinstantiation command.

  2. Create the directory structure for data persistence over reboot with the necessary permissions:

    # mkdir /tmp-inst /var/tmp/tmp-inst --mode 000
  3. Restore the entire security context including the SELinux user part:

    # restorecon -Fv /tmp-inst /var/tmp/tmp-inst
    Relabeled /tmp-inst from unconfined_u:object_r:default_t:s0 to system_u:object_r:tmp_t:s0
    Relabeled /var/tmp/tmp-inst from unconfined_u:object_r:tmp_t:s0 to system_u:object_r:tmp_t:s0
  4. If your system uses the fapolicyd application control framework, allow fapolicyd to monitor file access events on the underlying file system when they are bind mounted by enabling the allow_filesystem_mark option in the /etc/fapolicyd/fapolicyd.conf configuration file.

    allow_filesystem_mark = 1
  5. Enable instantiation of the /tmp, /var/tmp/, and users' home directories:

    Important

    Use /etc/security/namespace.conf instead of a separate file in the /etc/security/namespace.d/ directory because the pam_namespace_helper program does not read additional files in /etc/security/namespace.d.

    1. On a system with multi-level security (MLS), uncomment the last three lines in the /etc/security/namespace.conf file:

      /tmp     /tmp-inst/   		   level 	 root,adm
      /var/tmp /var/tmp/tmp-inst/    level 	 root,adm
      $HOME    $HOME/$USER.inst/     level
    2. On a system without multi-level security (MLS), add the following lines in the /etc/security/namespace.conf file:

      /tmp     /tmp-inst/            user 	 root,adm
      /var/tmp /var/tmp/tmp-inst/    user 	 root,adm
      $HOME    $HOME/$USER.inst/     user
  6. Verify that the pam_namespace.so module is configured for the session:

    $ grep namespace /etc/pam.d/login
    session    required     pam_namespace.so
  7. Optional: Enable cloud users to access the system with SSH keys:

    1. Install the openssh-keycat package.
    2. Create a file in the /etc/ssh/sshd_config.d/ directory with the following content:

      AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
      AuthorizedKeysCommandRunAs root
    3. Verify that public key authentication is enabled by checking that the PubkeyAuthentication variable in sshd_config is set to yes. By default, PubkeyAuthentication is set to yes, even though the line in sshd_config is commented out.

      $ grep -r PubkeyAuthentication /etc/ssh/
      /etc/ssh/sshd_config:#PubkeyAuthentication yes
  8. Add the session required pam_namespace.so unmnt_remnt entry into the module for each service for which polyinstantiation should apply, after the session include system-auth line. For example, in /etc/pam.d/su, /etc/pam.d/sudo, /etc/pam.d/ssh, and /etc/pam.d/sshd:

    [...]
    session        include        system-auth
    session        required    pam_namespace.so unmnt_remnt
    [...]

Verification

  1. Log in as a non-root user. Users that were logged in before polyinstantiation was configured must log out and log in before the changes take effect for them.
  2. Check that the /tmp/ directory is mounted under /tmp-inst/:

    $ findmnt --mountpoint /tmp/
    TARGET SOURCE                 	FSTYPE OPTIONS
    /tmp   /dev/vda1[/tmp-inst/<user>] xfs	rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota

    The SOURCE output differs based on your environment. * On virutal systems, it shows /dev/vda_<number>_. * On bare-metal systems it shows /dev/sda_<number>_ or /dev/nvme*

Additional resources

  • /usr/share/doc/pam/txts/README.pam_namespace readme file installed with the pam package.
Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.