The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared-subtree feature. For additional information on shared-subtree feature, please refer to the mount(8) man page and the shared-subtree description at http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.
Note that mounts and unmounts done in the private namespace will not affect the parent namespace if this option is used or when the shared / mount point is autodetected.
Only the session module type is provided. The module must not be called from multithreaded processes.
For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
session required pam_namespace.so [arguments]
To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default:
This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the initialization script /etc/security/namespace.init to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided in the comment section of the instance initialization script /etc/security/namespace.init. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:
1. Disable the use of font server by commenting out "FontPath" line in /etc/X11/xorg.conf. If you do want to use the font server then you will have to augment the instance initialization script to appropriately provide /tmp/.font-unix from the polyinstantiated /tmp. 2. Ensure that the gdm service is setup to use pam_namespace, as described above, by modifying /etc/pam.d/gdm. 3. Ensure that the display manager is configured to restart X server with each new session. This default setup can be verified by making sure that /usr/share/gdm/defaults.conf contains "AlwaysRestartServer=true", and it is not overridden by /etc/gdm/custom.conf.
namespace.conf(5), pam.d(5), mount(8), pam(7).
The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers. The pam_namespace PAM module was developed by Janak Desai <firstname.lastname@example.org>, Chad Sellers <email@example.com> and Steve Grubb <firstname.lastname@example.org>. Additional improvements by Xavier Toth <email@example.com> and Tomas Mraz <firstname.lastname@example.org>.