Chapter 11. Configuring polyinstantiated directories


By default, all programs, services, and users use the /tmp, /var/tmp, and home directories for temporary storage. This makes these directories vulnerable to race condition attacks and information leaks based on file names. You can make /tmp/, /var/tmp/, and the home directory instantiated so that they are no longer shared between all users, and each user’s /tmp-inst and /var/tmp/tmp-inst is separately mounted to the /tmp and /var/tmp directory.

Procedure

  1. Enable polyinstantiation in SELinux:

    # setsebool -P allow_polyinstantiation 1

    You can verify that polyinstantiation is enabled in SELinux by entering the getsebool allow_polyinstantiation command.

  2. Create the directory structure for data persistence over reboot with the necessary permissions:

    # mkdir /tmp-inst /var/tmp/tmp-inst --mode 000
  3. Restore the entire security context including the SELinux user part:

    # restorecon -Fv /tmp-inst /var/tmp/tmp-inst
    Relabeled /tmp-inst from unconfined_u:object_r:default_t:s0 to system_u:object_r:tmp_t:s0
    Relabeled /var/tmp/tmp-inst from unconfined_u:object_r:tmp_t:s0 to system_u:object_r:tmp_t:s0
  4. If your system uses the fapolicyd application control framework, allow fapolicyd to monitor file access events on the underlying file system when they are bind mounted by enabling the allow_filesystem_mark option in the /etc/fapolicyd/fapolicyd.conf configuration file.

    allow_filesystem_mark = 1
  5. Enable instantiation of the /tmp, /var/tmp/, and users' home directories:

    Important

    Use /etc/security/namespace.conf instead of a separate file in the /etc/security/namespace.d/ directory because the pam_namespace_helper program does not read additional files in /etc/security/namespace.d.

    1. On a system with multi-level security (MLS), uncomment the last three lines in the /etc/security/namespace.conf file:

      /tmp     /tmp-inst/   		   level 	 root,adm
      /var/tmp /var/tmp/tmp-inst/    level 	 root,adm
      $HOME    $HOME/$USER.inst/     level
    2. On a system without multi-level security (MLS), add the following lines in the /etc/security/namespace.conf file:

      /tmp     /tmp-inst/            user 	 root,adm
      /var/tmp /var/tmp/tmp-inst/    user 	 root,adm
      $HOME    $HOME/$USER.inst/     user
  6. Verify that the pam_namespace.so module is configured for the session:

    $ grep namespace /etc/pam.d/login
    session    required     pam_namespace.so
  7. Optional: Enable cloud users to access the system with SSH keys:

    1. Install the openssh-keycat package.
    2. Create a file in the /etc/ssh/sshd_config.d/ directory with the following content:

      AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
      AuthorizedKeysCommandRunAs root
    3. Verify that public key authentication is enabled by checking that the PubkeyAuthentication variable in sshd_config is set to yes. By default, PubkeyAuthentication is set to yes, even though the line in sshd_config is commented out.

      $ grep -r PubkeyAuthentication /etc/ssh/
      /etc/ssh/sshd_config:#PubkeyAuthentication yes
  8. Add the session required pam_namespace.so unmnt_remnt entry into the module for each service for which polyinstantiation should apply, after the session include system-auth line. For example, in /etc/pam.d/su, /etc/pam.d/sudo, /etc/pam.d/ssh, and /etc/pam.d/sshd:

    [...]
    session        include        system-auth
    session        required    pam_namespace.so unmnt_remnt
    [...]

Verification

  1. Log in as a non-root user. Users that were logged in before polyinstantiation was configured must log out and log in before the changes take effect for them.
  2. Check that the /tmp/ directory is mounted under /tmp-inst/:

    $ findmnt --mountpoint /tmp/
    TARGET SOURCE                 	FSTYPE OPTIONS
    /tmp   /dev/vda1[/tmp-inst/<user>] xfs	rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota

    The SOURCE output differs based on your environment. * On virutal systems, it shows /dev/vda_<number>_. * On bare-metal systems it shows /dev/sda_<number>_ or /dev/nvme*

Additional resources

  • /usr/share/doc/pam/txts/README.pam_namespace readme file installed with the pam package.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.