Description of problem: When polyinstantiation is enabled and a user logs in via GDM, applications that are started via systemd (e.g. gnome-terminal) do not run in the same namespace of gnome-shell and therefore bypass the polyinstantiation. Version-Release number of selected component (if applicable): - gdm-3.28.3-29.el8.x86_64 - gnome-shell-3.32.2-14.el8.x86_64 - pam-1.3.1-8.el8.x86_64 - selinux-policy-3.14.3-41.el8_2.5.noarch - gnome-session-3.28.1-8.el8.x86_64 - gnome-session-wayland-session-3.28.1-8.el8.x86_64 - gnome-session-xsession-3.28.1-8.el8.x86_64 How reproducible: Always Steps to Reproduce: 1. Enable Wayland in /etc/gdm/custom.conf; optionally log in choosing a "X11 display server" session, in step 6. 2. Ensure that /etc/pam.d/gdm-* use pam_namespace.so session required pam_namespace.so 3. Enable polyinstantiation of /tmp and $HOME in /etc/security/namespace.conf $HOME $HOME/$USER.inst/ level 4. If SELinux is in use, enable polyinstantiation # setsebool -P allow_polyinstantiation 1 5. Restart gdm # systemctl restart gdm.service 6. Try to log in as an ordinary user. If Wayland was not disabled in step 1, log in choosing a "X11 display server" session. 7. Open a gnome-terminal window and run $ ps -eo pid,user,mntns,command --sort mntns | fgrep " $(id -nu) " | fgrep -e gnome-terminal-server -e gnome-session-binary -e 'systemd --user' Actual results: The namespace inode numbers of gnome-session-binary and gnome-terminal-server are not the same. Example: 106296 casantos 4026531840 /usr/lib/systemd/systemd --user 106979 casantos 4026531840 /usr/libexec/gnome-terminal-server 106375 casantos 4026532604 /usr/libexec/gnome-session-binary Expected results: The namespace inode numbers of gnome-session-binary and gnome-terminal-server should be the same. Example: 108479 casantos 4026531840 /usr/lib/systemd/systemd --user 108559 casantos 4026532604 /usr/libexec/gnome-session-binary 109178 casantos 4026532604 /usr/libexec/gnome-terminal-server Since the processes started by systemd --user do dot run in the same namespace of gnome-session-binary, the polyinstantiation of $HOME does not have effect. Additional info: The problem can be circumvented by adding a session init script that updates the DBUS_SESSION_BUS_ADDRESS and DBUS_SESSION_BUS_PID environment variables. Example: # cat /etc/X11/xinit/xinitrc.d/99-override-message-bus.sh eval $(dbus-launch --sh-syntax --exit-with-session)
This issue seems to be somewhere between gdm, pam and systemd. Switching the component for systemd folks for their take on this. selinux-policy does not seem to be involved.
Tested on RHEL9. I can confirm there is no poly-instantiation when login graphically. The pam_namespace module needs to be loaded somewhere by /etc/pam.d/systemd-user. Trying to add it as below makes gnome-shell crash: ~~~ ... session required pam_loginuid.so session required pam_namespace.so session include system-auth ~~~ Crash: ~~~ Jun 24 11:25:50 vm-poly9 gnome-shell[14801]: Failed to start X Wayland: Directory "/tmp/.X11-unix" is not writable Jun 24 11:25:50 vm-poly9 kernel: traps: gnome-shell[14801] trap int3 ip:7fa8e94e283f sp:7fffb950fa70 error:0 in libglib-2.0.so.0.6800.4[7fa8e94a6000+90000] Jun 24 11:25:50 vm-poly9 systemd[1]: Started Process Core Dump (PID 14836/UID 0). Jun 24 11:25:50 vm-poly9 systemd-coredump[14838]: Resource limits disable core dumping for process 14801 (gnome-shell). Jun 24 11:25:50 vm-poly9 systemd-coredump[14838]: [🡕] Process 14801 (gnome-shell) of user 1000 dumped core. Jun 24 11:25:50 vm-poly9 systemd[14693]: org.gnome.Shell: Main process exited, code=dumped, status=5/TRAP ~~~ However if I disable Wayland, it works fine, I get the polyinstantiation. So I would say the issue in on both sides: - systemd (for systemd-user PAM) - wayland (for the crash)
(In reply to Renaud Métrich from comment #9) > However if I disable Wayland, it works fine, I get the polyinstantiation. > > So I would say the issue in on both sides: > - systemd (for systemd-user PAM) > - wayland (for the crash) FWIW, Wayland isn't a piece of software, it's a protocol implemented by a number of compositors, one of them being gnome-shell. The crash seems to happen in gnome-shell. I don't know if the crash is caused by it not being able to instantiate XWayland, but it would be nice to have a backtrace with debugging symbols from that (coredumpctl can help there). X Wayland is a X11 server that runs on top of Wayland compositors, so is not strictly required.
fix merged to github main branch -> https://github.com/redhat-plumbers/systemd-rhel8/pull/354
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (systemd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2985