Merge tag 'upstream/0.99.7.1' into debian

1 files changed, 96 insertions, 0 deletions

diff --git a/Linux-PAM/modules/pam_namespace/namespace.conf.5 b/Linux-PAM/modules/pam_namespace/namespace.conf.5
new file mode 100644
index 00000000..ff325a21
--- /dev/null
+++ b/Linux-PAM/modules/pam_namespace/namespace.conf.5
@@ -0,0 +1,96 @@
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "NAMESPACE.CONF" 5 "" "" ""
+.SH NAME
+namespace.conf \- the namespace configuration file
+.SH "DESCRIPTION"
+
+.PP
+This module allows setup of private namespaces with polyinstantiated directories\&. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, security context or both\&. If an executable script \fI/etc/security/namespace\&.init\fR exists, it is used to initialize the namespace every time a new instance directory is setup\&. The script receives the polyinstantiated directory path and the instance directory path as its arguments\&.
+
+.PP
+The \fI/etc/security/namespace\&.conf\fR file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\&.
+
+.PP
+When someone logs in, the file \fInamespace\&.conf\fR is scanned where each non comment line represents one polyinstantiated directory with space separated fields as follows:
+
+.PP
+ \fIpolydir\fR  \fI instance_prefix\fR  \fI method\fR  \fI list_of_uids\fR 
+
+.PP
+The first field, \fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. Special entry $HOME is supported to designate user's home directory\&. This field cannot be blank\&.
+
+.PP
+The second field, \fIinstance_prefix\fR is the string prefix used to build the pathname for the instantiation of <polydir>\&. The directory security context, or optionally its md5sum string (32 hex characters), is appended to the prefix to generate the final instance directory path\&. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column\&. The special string $HOME is replaced with the user's home directory, and $USER with the username\&. This field cannot be blank\&. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000\&. The requirement that the instance parent be of mode 000 can be overridden with the command line option <ignore_instance_parent_mode>
+
+.PP
+The third field, \fImethod\fR, is the method used for polyinstantiation\&. It can take 3 different values; "user" for polyinstantiation based on user name, "context" for polyinstantiation based on process security context, and "both" for polyinstantiation based on both user name and security context\&. Methods "context" and "both" are only available with SELinux\&. This field cannot be blank\&.
+
+.PP
+The fourth field, \fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\&. If left blank, polyinstantiation will be performed for all users\&.
+
+.SH "EXAMPLES"
+
+.PP
+These are some example lines which might be specified in \fI/etc/security/namespace\&.conf\fR\&.
+
+.nf
+
+      # The following three lines will polyinstantiate /tmp,
+      # /var/tmp and user's home directories\&. /tmp and /var/tmp
+      # will be polyinstantiated based on both security context
+      # as well as user name, whereas home directory will be
+      # polyinstantiated based on security context only\&.
+      # Polyinstantiation will not be performed for user root
+      # and adm for directories /tmp and /var/tmp, whereas home
+      # directories will be polyinstantiated for all users\&.
+      #
+      # Note that instance directories do not have to reside inside
+      # the polyinstantiated directory\&. In the examples below,
+      # instances of /tmp will be created in /tmp\-inst directory,
+      # where as instances of /var/tmp and users home directories
+      # will reside within the directories that are being
+      # polyinstantiated\&.
+      #
+      /tmp     /tmp\-inst/       	both      root,adm
+      /var/tmp /var/tmp/tmp\-inst/   	both      root,adm
+      $HOME    $HOME/$USER\&.inst/inst\- context
+    
+.fi
+
+.PP
+For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/<service> as the last line for session group:
+
+.PP
+session required pam_namespace\&.so [arguments]
+
+.PP
+This module also depends on pam_selinux\&.so setting the context\&.
+
+.SH "SEE ALSO"
+
+.PP
+ \fBpam_namespace\fR(8), \fBpam\&.d\fR(5), \fBpam\fR(8) 
+
+.SH "AUTHORS"
+
+.PP
+The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&.
+