RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1861841 - The information about GDM and polyinstantiation in the pam_namespace manual page is incorrect and outdated.
Summary: The information about GDM and polyinstantiation in the pam_namespace manual p...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pam
Version: 8.2
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: 8.0
Assignee: Iker Pedrosa
QA Contact: shridhar
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-29 17:24 UTC by Carlos Santos
Modified: 2021-05-18 14:59 UTC (History)
5 users (show)

Fixed In Version: pam-1.3.1-13.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 14:59:51 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1861769 0 unspecified CLOSED Authentication fails when Wayland is enabled along with polyinstantiation of /tmp 2023-06-27 12:17:34 UTC
Red Hat Bugzilla 1861836 0 medium CLOSED Polyinstantiation is ignored/bypassed in GNOME sessions 2023-08-17 10:53:10 UTC
Red Hat Knowledge Base (Solution) 5268601 0 None None None 2020-07-29 19:23:52 UTC

Description Carlos Santos 2020-07-29 17:24:27 UTC 
Description of problem:

The inforamtion about GDM and polyinstantiationin the EXAMPLES section is
incorrect and outdated.

- There is no /usr/sbin/gdm-safe-restart in RHEL
- GDM does not recognize an AlwaysRestartServer configuration

Version-Release number of selected component (if applicable):

- gdm-3.28.3-29.el8.x86_64
- gnome-shell-3.32.2-14.el8.x86_64
- pam-1.3.1-8.el8.x86_64

How reproducible:

Always

Steps to Reproduce: not applicable

Actual results: not applicable

Expected results:

The manual page should not dive into details about GDM, since it can easily
become outdated. It's better to simply tell the user to consult the gdm
documentation.

Additional info:

Steps required to make gdm and gnome-session work with polyinstantiation are
outlined in Bug 1861769 and Bug 1861836.
Comment 2 Iker Pedrosa 2020-10-05 10:41:12 UTC 
* master:
    * 491e5500b6b3913f531574208274358a2df88659 - pam_namespace: polyinstantiation refer to gdm doc
Comment 4 shridhar 2020-11-05 07:45:06 UTC 
Tested with following data:

On pam-1.3.1-11.el8 version:
# man pam_namespace 
<snip>
EXAMPLES
       For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:

       session required pam_namespace.so [arguments]

       To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default:

       /usr/sbin/gdm-safe-restart

       This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment,
       then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the
       initialization script /etc/security/namespace.init to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided
       in the comment section of the instance initialization script /etc/security/namespace.init. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:

                 1. Disable the use of font server by commenting out "FontPath"
                    line in /etc/X11/xorg.conf. If you do want to use the font server
                    then you will have to augment the instance initialization
                    script to appropriately provide /tmp/.font-unix from the
                    polyinstantiated /tmp.
                 2. Ensure that the gdm service is setup to use pam_namespace,
                    as described above, by modifying /etc/pam.d/gdm.
                 3. Ensure that the display manager is configured to restart X server
                    with each new session. This default setup can be verified by
                    making sure that /usr/share/gdm/defaults.conf contains
                    "AlwaysRestartServer=true", and it is not overridden by
                    /etc/gdm/custom.conf.
</snip>

]# rpm -Uvh 
rpm: no packages given for install
[root@ci-vm-10-0-136-122 bz1810474-add-pam_usertype-module]# man pam_namespace
[root@ci-vm-10-0-136-122 bz1810474-add-pam_usertype-module]# rpm -Uvh pam-1.3.1-13.el8.x86_64.rpm 
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:pam-1.3.1-13.el8                 ################################# [ 50%]
Cleaning up / removing...
   2:pam-1.3.1-11.el8                 ################################# [100%]



On: pam-1.3.1-13.el8.x86_64

# man pam_namespace
<snip>
EXAMPLES
       For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:

       session required pam_namespace.so [arguments]

       To use polyinstantiation with graphical display manager gdm, please refer to gdm's documentation.
</snip>

Marking verified.
Comment 7 Steeve Goveas 2020-11-30 13:36:36 UTC 
[root@auto-hv-01-guest01 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.4 Beta (Ootpa)

[root@auto-hv-01-guest01 ~]# rpm -q pam
pam-1.3.1-11.el8.x86_64

[root@auto-hv-01-guest01 ~]# man pam_namespace | awk '/EXAMPLES/,/\/etc\/gdm\/custom.conf/'
EXAMPLES
       For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:

       session required pam_namespace.so [arguments]

       To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default:

       /usr/sbin/gdm-safe-restart

       This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment,
       then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the
       initialization script /etc/security/namespace.init to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided
       in the comment section of the instance initialization script /etc/security/namespace.init. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:

                 1. Disable the use of font server by commenting out "FontPath"
                    line in /etc/X11/xorg.conf. If you do want to use the font server
                    then you will have to augment the instance initialization
                    script to appropriately provide /tmp/.font-unix from the
                    polyinstantiated /tmp.
                 2. Ensure that the gdm service is setup to use pam_namespace,
                    as described above, by modifying /etc/pam.d/gdm.
                 3. Ensure that the display manager is configured to restart X server
                    with each new session. This default setup can be verified by
                    making sure that /usr/share/gdm/defaults.conf contains
                    "AlwaysRestartServer=true", and it is not overridden by
                    /etc/gdm/custom.conf.

[root@auto-hv-01-guest01 ~]# yum update pam
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

created by yum config-manager from http://download.eng.bos.redhat.com/rhel-8/nightly/RHEL-8/latest-RHEL-8/compose/BaseOS/x86_64/os                                                  96 kB/s | 2.8 kB     00:00    
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                   Architecture                 Version                               Repository                                                                                                      Size
===================================================================================================================================================================================================================
Upgrading:
 pam                       x86_64                       1.3.1-14.el8                          download.eng.bos.redhat.com_rhel-8_nightly_RHEL-8_latest-RHEL-8_compose_BaseOS_x86_64_os                       739 k

Transaction Summary
===================================================================================================================================================================================================================
Upgrade  1 Package

Total download size: 739 k
Is this ok [y/N]: y
Downloading Packages:
pam-1.3.1-14.el8.x86_64.rpm                                                                                                                                                         10 MB/s | 739 kB     00:00    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                              9.9 MB/s | 739 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Upgrading        : pam-1.3.1-14.el8.x86_64                                                                                                                                                                   1/2 
  Running scriptlet: pam-1.3.1-14.el8.x86_64                                                                                                                                                                   1/2 
  Cleanup          : pam-1.3.1-11.el8.x86_64                                                                                                                                                                   2/2 
  Running scriptlet: pam-1.3.1-11.el8.x86_64                                                                                                                                                                   2/2 
  Verifying        : pam-1.3.1-14.el8.x86_64                                                                                                                                                                   1/2 
  Verifying        : pam-1.3.1-11.el8.x86_64                                                                                                                                                                   2/2 
Installed products updated.

Upgraded:
  pam-1.3.1-14.el8.x86_64                                                                                                                                                                                          

Complete!
[root@auto-hv-01-guest01 ~]# man pam_namespace | awk '/EXAMPLES/,/\/etc\/gdm\/custom.conf/'
EXAMPLES
       For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:

       session required pam_namespace.so [arguments]

       To use polyinstantiation with graphical display manager gdm, please refer to gdm's documentation.
Comment 10 errata-xmlrpc 2021-05-18 14:59:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pam bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1649
Note You need to log in before you can comment on or make changes to this bug.