Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 11. Configuring polyinstantiated directories

By default, all programs, services, and users use the /tmp, /var/tmp, and home directories for temporary storage. This makes these directories vulnerable to race condition attacks and information leaks based on file names. You can make /tmp/, /var/tmp/, and the home directory instantiated so that they are no longer shared between all users, and each user’s /tmp-inst and /var/tmp/tmp-inst is separately mounted to the /tmp and /var/tmp directory.

Procedure

  1. Enable polyinstantiation in SELinux: 

    # setsebool -P allow_polyinstantiation 1
    Copy to Clipboard Toggle word wrap

    You can verify that polyinstantiation is enabled in SELinux by entering the getsebool allow_polyinstantiation command.

  2. Create the directory structure for data persistence over reboot with the necessary permissions: 

    # mkdir /tmp-inst /var/tmp/tmp-inst --mode 000
    Copy to Clipboard Toggle word wrap

  3. Restore the entire security context including the SELinux user part: 

    # restorecon -Fv /tmp-inst /var/tmp/tmp-inst
Relabeled /tmp-inst from unconfined_u:object_r:default_t:s0 to system_u:object_r:tmp_t:s0
Relabeled /var/tmp/tmp-inst from unconfined_u:object_r:tmp_t:s0 to system_u:object_r:tmp_t:s0
    Copy to Clipboard Toggle word wrap

  4. If your system uses the fapolicyd application control framework, allow fapolicyd to monitor file access events on the underlying file system when they are bind mounted by enabling the allow_filesystem_mark option in the /etc/fapolicyd/fapolicyd.conf configuration file. 

    allow_filesystem_mark = 1
    Copy to Clipboard Toggle word wrap

  5. Enable instantiation of the /tmp, /var/tmp/, and users' home directories:

    Important

    Use /etc/security/namespace.conf instead of a separate file in the /etc/security/namespace.d/ directory because the pam_namespace_helper program does not read additional files in /etc/security/namespace.d.

    1. On a system with multi-level security (MLS), uncomment the last three lines in the /etc/security/namespace.conf file: 

      /tmp     /tmp-inst/   		   level 	 root,adm
/var/tmp /var/tmp/tmp-inst/    level 	 root,adm
$HOME    $HOME/$USER.inst/     level
      Copy to Clipboard Toggle word wrap

    2. On a system without multi-level security (MLS), add the following lines in the /etc/security/namespace.conf file: 

      /tmp     /tmp-inst/            user 	 root,adm
/var/tmp /var/tmp/tmp-inst/    user 	 root,adm
$HOME    $HOME/$USER.inst/     user
      Copy to Clipboard Toggle word wrap

  6. Verify that the pam_namespace.so module is configured for the session: 

    $ grep namespace /etc/pam.d/login
session    required     pam_namespace.so
    Copy to Clipboard Toggle word wrap

  7. Optional: Enable cloud users to access the system with SSH keys:

    1. Install the openssh-keycat package.

    2. Create a file in the /etc/ssh/sshd_config.d/ directory with the following content: 

      AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
AuthorizedKeysCommandRunAs root
      Copy to Clipboard Toggle word wrap

    3. Verify that public key authentication is enabled by checking that the PubkeyAuthentication variable in sshd_config is set to yes. By default, PubkeyAuthentication is set to yes, even though the line in sshd_config is commented out. 

      $ grep -r PubkeyAuthentication /etc/ssh/
/etc/ssh/sshd_config:#PubkeyAuthentication yes
      Copy to Clipboard Toggle word wrap

  8. Add the session required pam_namespace.so unmnt_remnt entry into the module for each service for which polyinstantiation should apply, after the session include system-auth line. For example, in /etc/pam.d/su, /etc/pam.d/sudo, /etc/pam.d/ssh, and /etc/pam.d/sshd: 

    [...]
session        include        system-auth
session        required    pam_namespace.so unmnt_remnt
[...]
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in as a non-root user. Users that were logged in before polyinstantiation was configured must log out and log in before the changes take effect for them.

  2. Check that the /tmp/ directory is mounted under /tmp-inst/: 

    $ findmnt --mountpoint /tmp/
TARGET SOURCE                 	FSTYPE OPTIONS
/tmp   /dev/vda1[/tmp-inst/<user>] xfs	rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
    Copy to Clipboard Toggle word wrap

    The SOURCE output differs based on your environment. * On virtual systems, it shows /dev/vda_<number>_. * On bare-metal systems it shows /dev/sda_<number>_ or /dev/nvme*

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat