Bug 2218184 - [spec] Polyinstantiation is ignored/bypassed in GNOME sessions
Summary: [spec] Polyinstantiation is ignored/bypassed in GNOME sessions
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: systemd
Version: CentOS Stream
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jan Macku
QA Contact: Frantisek Sumsal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-28 11:37 UTC by Jan Macku
Modified: 2023-08-17 10:16 UTC (History)
3 users (show)

Fixed In Version: systemd-252-16.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github redhat-plumbers systemd-rhel9 pull 179 0 None open pam: add a call to pam_namespace 2023-06-28 13:02:31 UTC
Github systemd systemd pull 25502 0 None Merged Add pam_namespace to user@.service pam stack 2023-06-28 11:40:54 UTC
Gitlab redhat/centos-stream/rpms systemd merge_requests 82 0 None opened pam: add a call to pam_namespace 2023-06-28 13:02:31 UTC
Red Hat Issue Tracker RHELPLAN-161062 0 None None None 2023-06-28 11:40:29 UTC

Description Jan Macku 2023-06-28 11:37:46 UTC 
This bug was initially created as a copy of Bug #1861836

I am copying this bug because: 

The same issue is present on RHEL9

Description of problem:

When polyinstantiation is enabled and a user logs in via GDM, applications that
are started via systemd (e.g. gnome-terminal) do not run in the same namespace
of gnome-shell and therefore bypass the polyinstantiation.

Version-Release number of selected component (if applicable):

- gdm-3.28.3-29.el8.x86_64
- gnome-shell-3.32.2-14.el8.x86_64
- pam-1.3.1-8.el8.x86_64
- selinux-policy-3.14.3-41.el8_2.5.noarch
- gnome-session-3.28.1-8.el8.x86_64
- gnome-session-wayland-session-3.28.1-8.el8.x86_64
- gnome-session-xsession-3.28.1-8.el8.x86_64

How reproducible:

Always

Steps to Reproduce:

1. Enable Wayland in /etc/gdm/custom.conf; optionally log in choosing a "X11
display server" session, in step 6.

2. Ensure that /etc/pam.d/gdm-* use pam_namespace.so

   session required pam_namespace.so

3. Enable polyinstantiation of /tmp and $HOME in /etc/security/namespace.conf

   $HOME $HOME/$USER.inst/ level

4. If SELinux is in use, enable polyinstantiation

   # setsebool -P allow_polyinstantiation 1

5. Restart gdm

   # systemctl restart gdm.service

6. Try to log in as an ordinary user. If Wayland was not disabled in step 1,
   log in choosing a "X11 display server" session.

7. Open a gnome-terminal window and run

   $ ps -eo pid,user,mntns,command --sort mntns | fgrep " $(id -nu) " | fgrep -e gnome-terminal-server -e gnome-session-binary -e 'systemd --user'

Actual results:

The namespace inode numbers of gnome-session-binary and gnome-terminal-server
are not the same. Example:

 106296 casantos 4026531840 /usr/lib/systemd/systemd --user
 106979 casantos 4026531840 /usr/libexec/gnome-terminal-server
 106375 casantos 4026532604 /usr/libexec/gnome-session-binary

Expected results:

The namespace inode numbers of gnome-session-binary and gnome-terminal-server
should be the same. Example:

 108479 casantos 4026531840 /usr/lib/systemd/systemd --user
 108559 casantos 4026532604 /usr/libexec/gnome-session-binary
 109178 casantos 4026532604 /usr/libexec/gnome-terminal-server

Since the processes started by systemd --user do dot run in the same namespace
of gnome-session-binary, the polyinstantiation of $HOME does not have effect.

Additional info:

The problem can be circumvented by adding a session init script that updates
the DBUS_SESSION_BUS_ADDRESS and DBUS_SESSION_BUS_PID environment variables.

Example:

  # cat /etc/X11/xinit/xinitrc.d/99-override-message-bus.sh
  eval $(dbus-launch --sh-syntax --exit-with-session)
Note You need to log in before you can comment on or make changes to this bug.