Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 11. Configuring polyinstantiated directories

By default, all programs, services, and users use the /tmp, /var/tmp, and home directories for temporary storage. This makes these directories vulnerable to race condition attacks and information leaks based on file names. You can make /tmp/, /var/tmp/, and the home directory instantiated so that they are no longer shared between all users, and each user’s /tmp-inst and /var/tmp/tmp-inst is separately mounted to the /tmp and /var/tmp directory.

Procedure

  1. Enable polyinstantiation in SELinux: 

    # setsebool -P allow_polyinstantiation 1
    Copy to Clipboard Toggle word wrap

    You can verify that polyinstantiation is enabled in SELinux by entering the getsebool allow_polyinstantiation command.

  2. Create the directory structure for data persistence over reboot with the necessary permissions: 

    # mkdir /tmp-inst /var/tmp/tmp-inst --mode 000
    Copy to Clipboard Toggle word wrap

  3. Restore the entire security context including the SELinux user part: 

    # restorecon -Fv /tmp-inst /var/tmp/tmp-inst
Relabeled /tmp-inst from unconfined_u:object_r:default_t:s0 to system_u:object_r:tmp_t:s0
Relabeled /var/tmp/tmp-inst from unconfined_u:object_r:tmp_t:s0 to system_u:object_r:tmp_t:s0
    Copy to Clipboard Toggle word wrap

  4. If your system uses the fapolicyd application control framework, allow fapolicyd to monitor file access events on the underlying file system when they are bind mounted by enabling the allow_filesystem_mark option in the /etc/fapolicyd/fapolicyd.conf configuration file. 

    allow_filesystem_mark = 1
    Copy to Clipboard Toggle word wrap

  5. Enable instantiation of the /tmp, /var/tmp/, and users' home directories:

    Important

    Use /etc/security/namespace.conf instead of a separate file in the /etc/security/namespace.d/ directory because the pam_namespace_helper program does not read additional files in /etc/security/namespace.d.

    1. On a system with multi-level security (MLS), uncomment the last three lines in the /etc/security/namespace.conf file: 

      /tmp     /tmp-inst/   		   level 	 root,adm
/var/tmp /var/tmp/tmp-inst/    level 	 root,adm
$HOME    $HOME/$USER.inst/     level
      Copy to Clipboard Toggle word wrap

    2. On a system without multi-level security (MLS), add the following lines in the /etc/security/namespace.conf file: 

      /tmp     /tmp-inst/            user 	 root,adm
/var/tmp /var/tmp/tmp-inst/    user 	 root,adm
$HOME    $HOME/$USER.inst/     user
      Copy to Clipboard Toggle word wrap

  6. Verify that the pam_namespace.so module is configured for the session: 

    $ grep namespace /etc/pam.d/login
session    required     pam_namespace.so
    Copy to Clipboard Toggle word wrap

  7. Optional: Enable cloud users to access the system with SSH keys:

    1. Install the openssh-keycat package.

    2. Create a file in the /etc/ssh/sshd_config.d/ directory with the following content: 

      AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
AuthorizedKeysCommandRunAs root
      Copy to Clipboard Toggle word wrap

    3. Verify that public key authentication is enabled by checking that the PubkeyAuthentication variable in sshd_config is set to yes. By default, PubkeyAuthentication is set to yes, even though the line in sshd_config is commented out. 

      $ grep -r PubkeyAuthentication /etc/ssh/
/etc/ssh/sshd_config:#PubkeyAuthentication yes
      Copy to Clipboard Toggle word wrap

  8. Add the session required pam_namespace.so unmnt_remnt entry into the module for each service for which polyinstantiation should apply, after the session include system-auth line. For example, in /etc/pam.d/su, /etc/pam.d/sudo, /etc/pam.d/ssh, and /etc/pam.d/sshd: 

    [...]
session        include        system-auth
session        required    pam_namespace.so unmnt_remnt
[...]
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in as a non-root user. Users that were logged in before polyinstantiation was configured must log out and log in before the changes take effect for them.

  2. Check that the /tmp/ directory is mounted under /tmp-inst/: 

    $ findmnt --mountpoint /tmp/
TARGET SOURCE                 	FSTYPE OPTIONS
/tmp   /dev/vda1[/tmp-inst/<user>] xfs	rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
    Copy to Clipboard Toggle word wrap

    The SOURCE output differs based on your environment. * On virtual systems, it shows /dev/vda_<number>_. * On bare-metal systems it shows /dev/sda_<number>_ or /dev/nvme*

Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat