RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1861769 - Authentication fails when Wayland is enabled along with polyinstantiation of /tmp
Summary: Authentication fails when Wayland is enabled along with polyinstantiation of ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: mutter
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Jonas Ådahl
QA Contact: Tomas Pelka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-29 14:04 UTC by Carlos Santos
Modified: 2021-10-01 12:45 UTC (History)
4 users (show)

Fixed In Version: mutter-3.32.2-54.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 14:38:46 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Gitlab GNOME mutter merge_requests 1625 0 None None None 2020-12-08 17:35:58 UTC
Red Hat Knowledge Base (Solution) 5268601 0 None None None 2020-07-29 19:23:01 UTC

Internal Links: 1861841

Description Carlos Santos 2020-07-29 14:04:29 UTC 
Description of problem:

Ordinary users can't log in when Wayland is enabled and polyinstantiation of
/tmp is enabled.

Version-Release number of selected component (if applicable):

- gdm-3.28.3-29.el8.x86_64
- gnome-shell-3.32.2-14.el8.x86_64
- pam-1.3.1-8.el8.x86_64
- selinux-policy-3.14.3-41.el8_2.5.noarch

How reproducible:

Always

Steps to Reproduce:

1. Enable Wayland in /etc/gdm/custom.conf

2. Ensure that /etc/pam.d/gdm-* use pam_namespace.so

   session required pam_namespace.so

3. Enable polyinstantiation od /tmp in /etc/security/namespace.conf

   /tmp /tmp-inst/ level root,adm

4. If SELinux is in use, enable polyinstantiation

   # setsebool -P allow_polyinstantiation 1

5. Restart gdm

   # systemctl restart gdm.service

6. Try to log in as an ordinary user

Actual results:

The login fails and the journal shows a sequence of messages like this

# journalctl --no-pager --this-boot | fgrep /tmp/.X11-unix

Jul 27 14:54:21 rhel-8-2.example.com gnome-shell[4812]: failed to bind to /tmp/.X11-unix/X0: Permission denied
[...]
Jul 27 14:54:22 rhel-8-2.example.com gnome-shell[4812]: failed to bind to /tmp/.X11-unix/X9997: Permission denied

Expected results:

The user should be able to log in without errors.

Additional info:

The problem can be circumvented by disabling Waylan. gdm will start a new Xorg
process for the user session which will use the polyinstantiated /tmp.
Comment 1 Carlos Santos 2020-07-29 14:12:27 UTC 
Another workaround is to log in choosing a "X11 display server" session.
Comment 2 Ray Strode [halfline] 2020-07-29 15:46:04 UTC 
mutter should use -displayfd to find a free display number, not try to figure out one itself.
Comment 5 Jonas Ådahl 2020-12-08 15:03:04 UTC 
(In reply to Ray Strode [halfline] from comment #2)
> mutter should use -displayfd to find a free display number, not try to
> figure out one itself.

No, it must find it itself, since it will only sometimes even launch Xwayland so it won't be able to receive any fds via -displayfd. What we should probably do instead is being less dramatic, change the g_warning() to g_debug() then add a friendly log entry about what displays we found usable.
Comment 6 Jonas Ådahl 2020-12-08 17:44:06 UTC 
(In reply to Jonas Ådahl from comment #5)
> (In reply to Ray Strode [halfline] from comment #2)
> > mutter should use -displayfd to find a free display number, not try to
> > figure out one itself.
> 
> No, it must find it itself, since it will only sometimes even launch
> Xwayland so it won't be able to receive any fds via -displayfd. What we
> should probably do instead is being less dramatic, change the g_warning() to
> g_debug() then add a friendly log entry about what displays we found usable.

Ah, this is not enough, mutter needs to learn how to find a appropriate polyinstantiation able display itself.
Comment 7 Jonas Ådahl 2020-12-09 14:55:09 UTC 
Ensuring /tmp/.X11-unix/ exists before creating the socket seems to be enough; with that in place I can login without issue with polyinstantiation enabled, while before I got the many error messages.
Comment 18 errata-xmlrpc 2021-05-18 14:38:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: GNOME security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1586
Note You need to log in before you can comment on or make changes to this bug.