Chapter 11. Configuring polyinstantiated directories

Procedure

1. Enable polyinstantiation in SELinux:

   # setsebool -P allow_polyinstantiation 1

   You can verify that polyinstantiation is enabled in SELinux by entering the getsebool allow_polyinstantiation command.

2. Create the directory structure for data persistence over reboot with the necessary permissions:

   # mkdir /tmp-inst /var/tmp/tmp-inst --mode 000

3. Restore the entire security context including the SELinux user part:

   # restorecon -Fv /tmp-inst /var/tmp/tmp-inst
   Relabeled /tmp-inst from unconfined_u:object_r:default_t:s0 to system_u:object_r:tmp_t:s0
   Relabeled /var/tmp/tmp-inst from unconfined_u:object_r:tmp_t:s0 to system_u:object_r:tmp_t:s0

4. If your system uses the fapolicyd application control framework, allow fapolicyd to monitor file access events on the underlying file system when they are bind mounted by enabling the allow_filesystem_mark option in the /etc/fapolicyd/fapolicyd.conf configuration file.

   allow_filesystem_mark = 1

5. Enable instantiation of the /tmp, /var/tmp/, and users' home directories:

   Important

   Use /etc/security/namespace.conf instead of a separate file in the /etc/security/namespace.d/ directory because the pam_namespace_helper program does not read additional files in /etc/security/namespace.d.

   1. On a system with multi-level security (MLS), uncomment the last three lines in the /etc/security/namespace.conf file:

      /tmp     /tmp-inst/   		   level 	 root,adm
      /var/tmp /var/tmp/tmp-inst/    level 	 root,adm
      $HOME    $HOME/$USER.inst/     level

   2. On a system without multi-level security (MLS), add the following lines in the /etc/security/namespace.conf file:

      /tmp     /tmp-inst/            user 	 root,adm
      /var/tmp /var/tmp/tmp-inst/    user 	 root,adm
      $HOME    $HOME/$USER.inst/     user

6. Verify that the pam_namespace.so module is configured for the session:

   $ grep namespace /etc/pam.d/login
   session    required     pam_namespace.so

7. Optional: Enable cloud users to access the system with SSH keys:

   1. Install the openssh-keycat package.

   2. Create a file in the /etc/ssh/sshd_config.d/ directory with the following content:

      AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
      AuthorizedKeysCommandRunAs root

   3. Verify that public key authentication is enabled by checking that the PubkeyAuthentication variable in sshd_config is set to yes. By default, PubkeyAuthentication is set to yes, even though the line in sshd_config is commented out.

      $ grep -r PubkeyAuthentication /etc/ssh/
      /etc/ssh/sshd_config:#PubkeyAuthentication yes

8. Add the session required pam_namespace.so unmnt_remnt entry into the module for each service for which polyinstantiation should apply, after the session include system-auth line. For example, in /etc/pam.d/su, /etc/pam.d/sudo, /etc/pam.d/ssh, and /etc/pam.d/sshd:

   [...]
   session        include        system-auth
   session        required    pam_namespace.so unmnt_remnt
   [...]

Verification

1. Log in as a non-root user. Users that were logged in before polyinstantiation was configured must log out and log in before the changes take effect for them.

2. Check that the /tmp/ directory is mounted under /tmp-inst/:

   $ findmnt --mountpoint /tmp/
   TARGET SOURCE                 	FSTYPE OPTIONS
   /tmp   /dev/vda1[/tmp-inst/<user>] xfs	rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota

   The SOURCE output differs based on your environment. * On virtual systems, it shows /dev/vda_<number>_. * On bare-metal systems it shows /dev/sda_<number>_ or /dev/nvme*