Chapter 11. Configuring polyinstantiated directories
By default, all programs, services, and users use the /tmp, /var/tmp, and home directories for temporary storage. This makes these directories vulnerable to race condition attacks and information leaks based on file names. You can make /tmp/, /var/tmp/, and the home directory instantiated so that they are no longer shared between all users, and each user’s /tmp-inst and /var/tmp/tmp-inst is separately mounted to the /tmp and /var/tmp directory.
Procedure
Enable polyinstantiation in SELinux:
# setsebool -P allow_polyinstantiation 1You can verify that polyinstantiation is enabled in SELinux by entering the
getsebool allow_polyinstantiationcommand.Create the directory structure for data persistence over reboot with the necessary permissions:
# mkdir /tmp-inst /var/tmp/tmp-inst --mode 000Restore the entire security context including the SELinux user part:
# restorecon -Fv /tmp-inst /var/tmp/tmp-inst Relabeled /tmp-inst from unconfined_u:object_r:default_t:s0 to system_u:object_r:tmp_t:s0 Relabeled /var/tmp/tmp-inst from unconfined_u:object_r:tmp_t:s0 to system_u:object_r:tmp_t:s0If your system uses the
fapolicydapplication control framework, allowfapolicydto monitor file access events on the underlying file system when they are bind mounted by enabling theallow_filesystem_markoption in the/etc/fapolicyd/fapolicyd.confconfiguration file.allow_filesystem_mark = 1
Enable instantiation of the
/tmp,/var/tmp/, and users' home directories:ImportantUse
/etc/security/namespace.confinstead of a separate file in the/etc/security/namespace.d/directory because thepam_namespace_helperprogram does not read additional files in/etc/security/namespace.d.On a system with multi-level security (MLS), uncomment the last three lines in the
/etc/security/namespace.conffile:/tmp /tmp-inst/ level root,adm /var/tmp /var/tmp/tmp-inst/ level root,adm $HOME $HOME/$USER.inst/ level
On a system without multi-level security (MLS), add the following lines in the
/etc/security/namespace.conffile:/tmp /tmp-inst/ user root,adm /var/tmp /var/tmp/tmp-inst/ user root,adm $HOME $HOME/$USER.inst/ user
Verify that the
pam_namespace.somodule is configured for the session:$ grep namespace /etc/pam.d/login session required pam_namespace.soOptional: Enable cloud users to access the system with SSH keys:
-
Install the
openssh-keycatpackage. Create a file in the
/etc/ssh/sshd_config.d/directory with the following content:AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat AuthorizedKeysCommandRunAs root
Verify that public key authentication is enabled by checking that the
PubkeyAuthenticationvariable insshd_configis set toyes. By default,PubkeyAuthenticationis set to yes, even though the line insshd_configis commented out.$ grep -r PubkeyAuthentication /etc/ssh/ /etc/ssh/sshd_config:#PubkeyAuthentication yes
-
Install the
Add the
session required pam_namespace.so unmnt_remntentry into the module for each service for which polyinstantiation should apply, after thesession include system-authline. For example, in/etc/pam.d/su,/etc/pam.d/sudo,/etc/pam.d/ssh, and/etc/pam.d/sshd:[...] session include system-auth session required pam_namespace.so unmnt_remnt [...]
Verification
- Log in as a non-root user. Users that were logged in before polyinstantiation was configured must log out and log in before the changes take effect for them.
Check that the
/tmp/directory is mounted under/tmp-inst/:$ findmnt --mountpoint /tmp/ TARGET SOURCE FSTYPE OPTIONS /tmp /dev/vda1[/tmp-inst/<user>] xfs rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
The
SOURCEoutput differs based on your environment. * On virutal systems, it shows/dev/vda_<number>_. * On bare-metal systems it shows/dev/sda_<number>_or/dev/nvme*
Additional resources
-
/usr/share/doc/pam-docs/txts/README.pam_namespacereadme file installed with thepam-docspackage.
