Bug 2218184

Summary: [spec] Polyinstantiation is ignored/bypassed in GNOME sessions
Product: Red Hat Enterprise Linux 9 Reporter: Jan Macku <jamacku>
Component: systemdAssignee: Jan Macku <jamacku>
Status: VERIFIED --- QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, jwboyer, systemd-maint-list
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-252-16.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Macku 2023-06-28 11:37:46 UTC 
This bug was initially created as a copy of Bug #1861836

I am copying this bug because: 

The same issue is present on RHEL9

Description of problem:

When polyinstantiation is enabled and a user logs in via GDM, applications that
are started via systemd (e.g. gnome-terminal) do not run in the same namespace
of gnome-shell and therefore bypass the polyinstantiation.

Version-Release number of selected component (if applicable):

- gdm-3.28.3-29.el8.x86_64
- gnome-shell-3.32.2-14.el8.x86_64
- pam-1.3.1-8.el8.x86_64
- selinux-policy-3.14.3-41.el8_2.5.noarch
- gnome-session-3.28.1-8.el8.x86_64
- gnome-session-wayland-session-3.28.1-8.el8.x86_64
- gnome-session-xsession-3.28.1-8.el8.x86_64

How reproducible:

Always

Steps to Reproduce:

1. Enable Wayland in /etc/gdm/custom.conf; optionally log in choosing a "X11
display server" session, in step 6.

2. Ensure that /etc/pam.d/gdm-* use pam_namespace.so

   session required pam_namespace.so

3. Enable polyinstantiation of /tmp and $HOME in /etc/security/namespace.conf

   $HOME $HOME/$USER.inst/ level

4. If SELinux is in use, enable polyinstantiation

   # setsebool -P allow_polyinstantiation 1

5. Restart gdm

   # systemctl restart gdm.service

6. Try to log in as an ordinary user. If Wayland was not disabled in step 1,
   log in choosing a "X11 display server" session.

7. Open a gnome-terminal window and run

   $ ps -eo pid,user,mntns,command --sort mntns | fgrep " $(id -nu) " | fgrep -e gnome-terminal-server -e gnome-session-binary -e 'systemd --user'

Actual results:

The namespace inode numbers of gnome-session-binary and gnome-terminal-server
are not the same. Example:

 106296 casantos 4026531840 /usr/lib/systemd/systemd --user
 106979 casantos 4026531840 /usr/libexec/gnome-terminal-server
 106375 casantos 4026532604 /usr/libexec/gnome-session-binary

Expected results:

The namespace inode numbers of gnome-session-binary and gnome-terminal-server
should be the same. Example:

 108479 casantos 4026531840 /usr/lib/systemd/systemd --user
 108559 casantos 4026532604 /usr/libexec/gnome-session-binary
 109178 casantos 4026532604 /usr/libexec/gnome-terminal-server

Since the processes started by systemd --user do dot run in the same namespace
of gnome-session-binary, the polyinstantiation of $HOME does not have effect.

Additional info:

The problem can be circumvented by adding a session init script that updates
the DBUS_SESSION_BUS_ADDRESS and DBUS_SESSION_BUS_PID environment variables.

Example:

  # cat /etc/X11/xinit/xinitrc.d/99-override-message-bus.sh
  eval $(dbus-launch --sh-syntax --exit-with-session)