Show Table of Contents
5.11.4. Setting Up Polyinstantiated Directories
The
/tmp/ and /var/tmp/ directories are normally used for temporary storage by all programs, services, and users. Such setup, however, makes these directories vulnerable to race condition attacks, or an information leak based on file names. SELinux offers a solution in the form of polyinstantiated directories. This effectively means that both /tmp/ and /var/tmp/ are instantiated, making them appear private for each user. When instantiation of directories is enabled, each user's /tmp/ and /var/tmp/ directory is automatically mounted under /tmp-inst and /var/tmp/tmp-inst.
Follow these steps to enable polyinstantiation of directories:
- Uncomment the last three lines in the
/etc/security/namespace.conffile to enable instantiation of the/tmp/,/var/tmp/, and users' home directories:~]$
tail -n 3 /etc/security/namespace.conf/tmp /tmp-inst/ level root,adm /var/tmp /var/tmp/tmp-inst/ level root,adm $HOME $HOME/$USER.inst/ level - Ensure that in the
/etc/pam.d/loginfile, thepam_namespace.somodule is configured for session:~]$
grep namespace /etc/pam.d/loginsession required pam_namespace.so - Reboot your system.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.