2

EDIT: Currently looking at this solution.. (namespaces), but still wouldn't mind any pointers for doing what I'm after another way.

We have a custom SELinux policy on CentOS 7.2 which confines users to a restricted form of the user_u role. Part of this disables the use of anything which accesses btmp/utmp/wtmp. This is done without the use of a private mount namespace. We'd like to be able to restrict the visibility of other currently-logged-in users.

It's still possible to list the users on the system by doing a df:

tmpfs                              380M     0  380M   0% /run/user/3435
tmpfs                              380M     0  380M   0% /run/user/3434

/proc/self/mounts (the ultimate pointee starting from /etc/mtab) will always list the system-wide mounts (again, this is without mount namespaces). As an aside, (and in case at all relevant), we have /proc mounted with the hidepid=2 option.

Question: Does anyone know a way of restricting /run/user/... from ending up in /proc/self/mounts? Mount namespaces have not been ruled out yet, but we'd like to explore alternatives, too.

Community
  • 1
swisscheese
  • 330
  • For virtual filesystems you're probably going to have a hard time with SELinux since it depends on tagging. pam_namespace is probably your best bet (unless there's a systemd equivalent that I'm just not aware of). – Bratchley Jun 17 '16 at 13:58
  • TBH if you're this high security, you'll probably want to implement namespaces eventually. There are going to be other instances where they need some kind of /tmp but you don't want everyone sharing the same one. – Bratchley Jun 17 '16 at 13:59
  • Hi Bratchley - thanks for your reply. We currently implement polyinstantiated namespacing for /tmp and /var/tmp via pam_namespace. I thought it could also be appropriate for /run, but I now understand that each instance of /run/user/ is precisely that - already it's own instance. I suppose i'll need to just go ahead with a full-on namespace. – swisscheese Jun 17 '16 at 14:10

0 Answers0