Bug 1861769

Summary: Authentication fails when Wayland is enabled along with polyinstantiation of /tmp
Product: Red Hat Enterprise Linux 8 Reporter: Carlos Santos <casantos>
Component: mutterAssignee: Jonas Ådahl <jadahl>
Status: CLOSED ERRATA QA Contact: Tomas Pelka <tpelka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: fmuellner, hdegoede, modehnal, tpelka
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mutter-3.32.2-54.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:38:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carlos Santos 2020-07-29 14:04:29 UTC 
Description of problem:

Ordinary users can't log in when Wayland is enabled and polyinstantiation of
/tmp is enabled.

Version-Release number of selected component (if applicable):

- gdm-3.28.3-29.el8.x86_64
- gnome-shell-3.32.2-14.el8.x86_64
- pam-1.3.1-8.el8.x86_64
- selinux-policy-3.14.3-41.el8_2.5.noarch

How reproducible:

Always

Steps to Reproduce:

1. Enable Wayland in /etc/gdm/custom.conf

2. Ensure that /etc/pam.d/gdm-* use pam_namespace.so

   session required pam_namespace.so

3. Enable polyinstantiation od /tmp in /etc/security/namespace.conf

   /tmp /tmp-inst/ level root,adm

4. If SELinux is in use, enable polyinstantiation

   # setsebool -P allow_polyinstantiation 1

5. Restart gdm

   # systemctl restart gdm.service

6. Try to log in as an ordinary user

Actual results:

The login fails and the journal shows a sequence of messages like this

# journalctl --no-pager --this-boot | fgrep /tmp/.X11-unix

Jul 27 14:54:21 rhel-8-2.example.com gnome-shell[4812]: failed to bind to /tmp/.X11-unix/X0: Permission denied
[...]
Jul 27 14:54:22 rhel-8-2.example.com gnome-shell[4812]: failed to bind to /tmp/.X11-unix/X9997: Permission denied

Expected results:

The user should be able to log in without errors.

Additional info:

The problem can be circumvented by disabling Waylan. gdm will start a new Xorg
process for the user session which will use the polyinstantiated /tmp.
Comment 1 Carlos Santos 2020-07-29 14:12:27 UTC 
Another workaround is to log in choosing a "X11 display server" session.
Comment 2 Ray Strode [halfline] 2020-07-29 15:46:04 UTC 
mutter should use -displayfd to find a free display number, not try to figure out one itself.
Comment 5 Jonas Ådahl 2020-12-08 15:03:04 UTC 
(In reply to Ray Strode [halfline] from comment #2)
> mutter should use -displayfd to find a free display number, not try to
> figure out one itself.

No, it must find it itself, since it will only sometimes even launch Xwayland so it won't be able to receive any fds via -displayfd. What we should probably do instead is being less dramatic, change the g_warning() to g_debug() then add a friendly log entry about what displays we found usable.
Comment 6 Jonas Ådahl 2020-12-08 17:44:06 UTC 
(In reply to Jonas Ådahl from comment #5)
> (In reply to Ray Strode [halfline] from comment #2)
> > mutter should use -displayfd to find a free display number, not try to
> > figure out one itself.
> 
> No, it must find it itself, since it will only sometimes even launch
> Xwayland so it won't be able to receive any fds via -displayfd. What we
> should probably do instead is being less dramatic, change the g_warning() to
> g_debug() then add a friendly log entry about what displays we found usable.

Ah, this is not enough, mutter needs to learn how to find a appropriate polyinstantiation able display itself.
Comment 7 Jonas Ådahl 2020-12-09 14:55:09 UTC 
Ensuring /tmp/.X11-unix/ exists before creating the socket seems to be enough; with that in place I can login without issue with polyinstantiation enabled, while before I got the many error messages.
Comment 18 errata-xmlrpc 2021-05-18 14:38:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: GNOME security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1586