Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.11.4. Setting Up Polyinstantiated Directories

The /tmp/ and /var/tmp/ directories are normally used for temporary storage by all programs, services, and users. Such setup, however, makes these directories vulnerable to race condition attacks, or an information leak based on file names. SELinux offers a solution in the form of polyinstantiated directories. This effectively means that both /tmp/ and /var/tmp/ are instantiated, making them appear private for each user. When instantiation of directories is enabled, each user's /tmp/ and /var/tmp/ directory is automatically mounted under /tmp-inst and /var/tmp/tmp-inst.
Follow these steps to enable polyinstantiation of directories:
  1. Uncomment the last three lines in the /etc/security/namespace.conf file to enable instantiation of the /tmp/, /var/tmp/, and users' home directories:
    ~]$ tail -n 3 /etc/security/namespace.conf
    /tmp     /tmp-inst/            level      root,adm
    /var/tmp /var/tmp/tmp-inst/    level      root,adm
    $HOME    $HOME/$USER.inst/     level
  2. Ensure that in the /etc/pam.d/login file, the module is configured for session:
    ~]$ grep namespace /etc/pam.d/login
    session    required
  3. Reboot your system.