diff --git a/roles/batcave/files/namespace.conf b/roles/batcave/files/namespace.conf
new file mode 100644
index 0000000000..6c0a761cc4
--- /dev/null
+++ b/roles/batcave/files/namespace.conf
@@ -0,0 +1,28 @@
+ /etc/security/namespace.conf
+#
+# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
+#
+# Uncommenting the following three lines will polyinstantiate
+# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
+# be polyinstantiated based on the MLS level part of the security context as well as user
+# name, Polyinstantion will not be performed for user root and adm for directories
+# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
+# The user name and context is appended to the instance prefix.
+#
+# Note that instance directories do not have to reside inside the
+# polyinstantiated directory. In the examples below, instances of /tmp
+# will be created in /tmp-inst directory, where as instances of /var/tmp
+# and users home directories will reside within the directories that
+# are being polyinstantiated.
+#
+# Instance parent directories must exist for the polyinstantiation
+# mechanism to work. By default, they should be created with the mode
+# of 000. pam_namespace module will enforce this mode unless it
+# is explicitly called with an argument to ignore the mode of the
+# instance parent. System administrators should use this argument with
+# caution, as it will reduce security and isolation achieved by
+# polyinstantiation.
+#
+/tmp     /tmp-inst/             level      root,adm
+/var/tmp /var/tmp-inst/         level      root,adm
+#$HOME    $HOME/$USER.inst/     level
diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml
index 2dccc4d29c..9cc97f2394 100644
--- a/roles/batcave/tasks/main.yml
+++ b/roles/batcave/tasks/main.yml
@@ -507,3 +507,23 @@
   - koji
   - batcave
 
+- name: create some tmp dirs
+  file: path=/tmp-inst mode=000 user=root group=root state=directory
+  tags:
+  - config
+  - batcave
+  - selinux
+
+- name: create some tmp dirs
+  file: path=/var/tmp-inst mode=000 user=root group=root state=directory
+  tags:
+  - config
+  - batcave
+  - selinux
+
+- name: put in place namespace.conf file
+  copy: src=namespace.conf dest=/etc/security/namespace.conf mode=644 user=root group=root
+  tags:
+  - config
+  - batcave
+  - selinux