lets try out some polyinstantiated tmp and var/tmp on batcave01
This commit is contained in:
Kevin Fenzi
parent
939d94ed41
commit
79c7169ff4
2 changed files with 48 additions and 0 deletions
28
roles/batcave/files/namespace.conf
Normal file
28
roles/batcave/files/namespace.conf
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
/etc/security/namespace.conf
|
||||
#
|
||||
# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
|
||||
#
|
||||
# Uncommenting the following three lines will polyinstantiate
|
||||
# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
|
||||
# be polyinstantiated based on the MLS level part of the security context as well as user
|
||||
# name, Polyinstantion will not be performed for user root and adm for directories
|
||||
# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
|
||||
# The user name and context is appended to the instance prefix.
|
||||
#
|
||||
# Note that instance directories do not have to reside inside the
|
||||
# polyinstantiated directory. In the examples below, instances of /tmp
|
||||
# will be created in /tmp-inst directory, where as instances of /var/tmp
|
||||
# and users home directories will reside within the directories that
|
||||
# are being polyinstantiated.
|
||||
#
|
||||
# Instance parent directories must exist for the polyinstantiation
|
||||
# mechanism to work. By default, they should be created with the mode
|
||||
# of 000. pam_namespace module will enforce this mode unless it
|
||||
# is explicitly called with an argument to ignore the mode of the
|
||||
# instance parent. System administrators should use this argument with
|
||||
# caution, as it will reduce security and isolation achieved by
|
||||
# polyinstantiation.
|
||||
#
|
||||
/tmp /tmp-inst/ level root,adm
|
||||
/var/tmp /var/tmp-inst/ level root,adm
|
||||
#$HOME $HOME/$USER.inst/ level
|
||||
|
|
@ -507,3 +507,23 @@
|
|||
- koji
|
||||
- batcave
|
||||
|
||||
- name: create some tmp dirs
|
||||
file: path=/tmp-inst mode=000 user=root group=root state=directory
|
||||
tags:
|
||||
- config
|
||||
- batcave
|
||||
- selinux
|
||||
|
||||
- name: create some tmp dirs
|
||||
file: path=/var/tmp-inst mode=000 user=root group=root state=directory
|
||||
tags:
|
||||
- config
|
||||
- batcave
|
||||
- selinux
|
||||
|
||||
- name: put in place namespace.conf file
|
||||
copy: src=namespace.conf dest=/etc/security/namespace.conf mode=644 user=root group=root
|
||||
tags:
|
||||
- config
|
||||
- batcave
|
||||
- selinux
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue