1 files changed, 50 insertions, 43 deletions

diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README
index 7edfe55e..c47ba232 100644
--- a/modules/pam_namespace/README
+++ b/modules/pam_namespace/README
@@ -1,3 +1,7 @@
+pam_namespace — PAM module for configuring namespace for a session
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
 
 pam_namespace module:
 Setup a private namespace with polyinstantiated directories.
@@ -24,25 +28,25 @@ Where:
       This field cannot be blank.
 
 <instance_prefix> - is the string prefix used to build the pathname for the
-	instantiation of <polydir>. The directory security context, or
-	optionally its md5sum string (32 hex characters), is appended to
+        instantiation of <polydir>. The directory security context, or
+        optionally its md5sum string (32 hex characters), is appended to
         the prefix to generate the final instance directory path.
         This directory is created if it did not exist already, and is then
-	bind mounted on the <polydir> to provide an instance of <polydir>
-	based on the <method> column. The special string $HOME is replaced with
-	the user's home directory, and $USER with the username.
-	This field cannot be blank.
+        bind mounted on the <polydir> to provide an instance of <polydir>
+        based on the <method> column. The special string $HOME is replaced with
+        the user's home directory, and $USER with the username.
+        This field cannot be blank.
 
 <method> - is the method used for polyinstantiation. It can take 3 different
-	values; "user" for polyinstantiation based on user name, "context"
-	for polyinstantiation based on process security context, and "both"
-	for polyinstantiation based on both user name and security context.
-	Methods "context" and "both" are only available with SELinux. This
-	field cannot be blank.
+        values; "user" for polyinstantiation based on user name, "context"
+        for polyinstantiation based on process security context, and "both"
+        for polyinstantiation based on both user name and security context.
+        Methods "context" and "both" are only available with SELinux. This
+        field cannot be blank.
 
 <list_of_uids> - is a comma separated list of user names for whom the
-	polyinstantiation is not performed. If left blank, polyinstantiation
-	will be performed for all users.
+        polyinstantiation is not performed. If left blank, polyinstantiation
+        will be performed for all users.
 
 EXAMPLE /etc/security/namespace.conf configuration file:
 =======================================================
@@ -68,55 +72,58 @@ EXAMPLE /etc/security/namespace.conf configuration file:
 # caution, as it will reduce security and isolation achieved by
 # polyinstantiation.
 #
-/tmp     /tmp-inst/       	both      root,adm
-/var/tmp /var/tmp/tmp-inst/   	both      root,adm
+/tmp     /tmp-inst/             both      root,adm
+/var/tmp /var/tmp/tmp-inst/     both      root,adm
 $HOME    $HOME/$USER.inst/inst- context
 
 ARGUMENTS RECOGNIZED:
     debug
-	Verbose logging by syslog
+        Verbose logging by syslog
 
     unmnt_remnt
-	For programs such as su and newrole, the login session has
-	already setup a polyinstantiated namespace. For these programs,
-	polyinstantiation is performed based on new user id or security
-	context, however the command first needs to undo the
-	polyinstantiation performed by login. This argument instructs
-	the command to first undo previous polyinstantiation before
-	proceeding with new polyinstantiation based on new id/context.
+        For programs such as su and newrole, the login session has
+        already setup a polyinstantiated namespace. For these programs,
+        polyinstantiation is performed based on new user id or security
+        context, however the command first needs to undo the
+        polyinstantiation performed by login. This argument instructs
+        the command to first undo previous polyinstantiation before
+        proceeding with new polyinstantiation based on new id/context.
 
     unmnt_only
-	For trusted programs that want to undo any existing bind mounts
-	and process instance directories on their own, this argument
-	allows them to unmount currently mounted instance directories.
+        For trusted programs that want to undo any existing bind mounts
+        and process instance directories on their own, this argument
+        allows them to unmount currently mounted instance directories.
 
     require_selinux
-	If selinux is not enabled, return failure.
+        If selinux is not enabled, return failure.
 
     gen_hash
-	Instead of using the security context string for the instance
-	name, generate and use its md5 hash.
+        Instead of using the security context string for the instance
+        name, generate and use its md5 hash.
 
     ignore_config_error
-	If a line in the configuration file corresponding to a
-	polyinstantiated directory contains format error, skip that
-	line process the next line. Without this option, pam will return
-	an error to the calling program resulting in termination
-	of the session.
+        If a line in the configuration file corresponding to a
+        polyinstantiated directory contains format error, skip that
+        line process the next line. Without this option, pam will return
+        an error to the calling program resulting in termination
+        of the session.
 
     ignore_instance_parent_mode
-	Instance parent directories by default are expected to have
-	the restrictive mode of 000. Using this option, an administrator
-	can choose to ignore the mode of the instance parent.
+        Instance parent directories by default are expected to have
+        the restrictive mode of 000. Using this option, an administrator
+        can choose to ignore the mode of the instance parent.
 
 MODULE SERVICES PROVIDED:
-	session            open_session and close_session
+        session            open_session and close_session
 
 USAGE:
-	For the <service>s you need polyinstantiation (login for example)
-	put the following line in /etc/pam.d/<service> as the last line for 
-	session group:
+        For the <service>s you need polyinstantiation (login for example)
+        put the following line in /etc/pam.d/<service> as the last line for
+        session group:
+
+        session  required  pam_namespace.so [arguments]
+
+        This module also depends on pam_selinux.so setting the context.
+
 
-	session  required  pam_namespace.so [arguments]
 
-	This module also depends on pam_selinux.so setting the context.