Chapter 11. Configuring polyinstantiated directories
By default, all programs, services, and users use the /tmp
, /var/tmp
, and home directories for temporary storage. This makes these directories vulnerable to race condition attacks and information leaks based on file names. You can make /tmp/
, /var/tmp/
, and the home directory instantiated so that they are no longer shared between all users, and each user’s /tmp-inst
and /var/tmp/tmp-inst
is separately mounted to the /tmp
and /var/tmp
directory.
Procedure
Enable polyinstantiation in SELinux:
# setsebool -P allow_polyinstantiation 1
You can verify that polyinstantiation is enabled in SELinux by entering the
getsebool allow_polyinstantiation
command.Create the directory structure for data persistence over reboot with the necessary permissions:
# mkdir /tmp-inst /var/tmp/tmp-inst --mode 000
Restore the entire security context including the SELinux user part:
# restorecon -Fv /tmp-inst /var/tmp/tmp-inst Relabeled /tmp-inst from unconfined_u:object_r:default_t:s0 to system_u:object_r:tmp_t:s0 Relabeled /var/tmp/tmp-inst from unconfined_u:object_r:tmp_t:s0 to system_u:object_r:tmp_t:s0
If your system uses the
fapolicyd
application control framework, allowfapolicyd
to monitor file access events on the underlying file system when they are bind mounted by enabling theallow_filesystem_mark
option in the/etc/fapolicyd/fapolicyd.conf
configuration file.allow_filesystem_mark = 1
Enable instantiation of the
/tmp
,/var/tmp/
, and users' home directories:ImportantUse
/etc/security/namespace.conf
instead of a separate file in the/etc/security/namespace.d/
directory because thepam_namespace_helper
program does not read additional files in/etc/security/namespace.d
.On a system with multi-level security (MLS), uncomment the last three lines in the
/etc/security/namespace.conf
file:/tmp /tmp-inst/ level root,adm /var/tmp /var/tmp/tmp-inst/ level root,adm $HOME $HOME/$USER.inst/ level
On a system without multi-level security (MLS), add the following lines in the
/etc/security/namespace.conf
file:/tmp /tmp-inst/ user root,adm /var/tmp /var/tmp/tmp-inst/ user root,adm $HOME $HOME/$USER.inst/ user
Verify that the
pam_namespace.so
module is configured for the session:$ grep namespace /etc/pam.d/login session required pam_namespace.so
Optional: Enable cloud users to access the system with SSH keys:
-
Install the
openssh-keycat
package. Create a file in the
/etc/ssh/sshd_config.d/
directory with the following content:AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat AuthorizedKeysCommandRunAs root
Verify that public key authentication is enabled by checking that the
PubkeyAuthentication
variable insshd_config
is set toyes
. By default,PubkeyAuthentication
is set to yes, even though the line insshd_config
is commented out.$ grep -r PubkeyAuthentication /etc/ssh/ /etc/ssh/sshd_config:#PubkeyAuthentication yes
-
Install the
Add the
session required pam_namespace.so unmnt_remnt
entry into the module for each service for which polyinstantiation should apply, after thesession include system-auth
line. For example, in/etc/pam.d/su
,/etc/pam.d/sudo
,/etc/pam.d/ssh
, and/etc/pam.d/sshd
:[...] session include system-auth session required pam_namespace.so unmnt_remnt [...]
Verification
- Log in as a non-root user. Users that were logged in before polyinstantiation was configured must log out and log in before the changes take effect for them.
Check that the
/tmp/
directory is mounted under/tmp-inst/
:$ findmnt --mountpoint /tmp/ TARGET SOURCE FSTYPE OPTIONS /tmp /dev/vda1[/tmp-inst/<user>] xfs rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
The
SOURCE
output differs based on your environment. * On virutal systems, it shows/dev/vda_<number>_
. * On bare-metal systems it shows/dev/sda_<number>_
or/dev/nvme*
Additional resources
-
/usr/share/doc/pam/txts/README.pam_namespace
readme file installed with thepam
package.