Status: IN
SELinux polyinstantiation provides per-user or per-security-level directory isolation: configured in `/etc/security/namespace.conf` (not `namespace.d`), enforced via the `pam_namespace.so` PAM module, gated by the `allow_polyinstantiation` boolean, using the `user` method on non-MLS systems and the `level` method on MLS systems, verifiable with `findmnt`.