{"id":"selinux-polyinstantiation-isolation-mechanism","text":"SELinux polyinstantiation provides per-user or per-security-level directory isolation: configured in `/etc/security/namespace.conf` (not `namespace.d`), enforced via the `pam_namespace.so` PAM module, gated by the `allow_polyinstantiation` boolean, using the `user` method on non-MLS systems and the `level` method on MLS systems, verifiable with `findmnt`.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"selinux-polyinstantiation-isolation-mechanism","truth_value":"IN","reason":"premise"}]}}