Problems with systemd in vncserver LXQT session with F43

Since upgrading my headless server to F43, the vncserver instance I use to run applications on that box has been having severe troubles with the systemd user session.

I can’t rule out that I may have created the problem myself due to the way the whole thing is set up. (It’s a configuration that’s developed organically, in bits and pieces, over some 10 years of Fedora releases. So, there may be suboptimal aspects of how everything is lashed together with duct tape and stubbornness.) But, I seem to mostly be using supported tools and standard configurations, and it was working before the upgrade, so I’m hoping there’s some way to get things back on track. Here’s what’s going on, and what I’ve been able to unearth so far regarding why:

The VNC desktop on the machine is an LXQT session, configured as a vncserver@:1.service templated unit in the root systemd that’s started at boot. I access the machine and its files by sftp-mounting it to my desktop system, by ssh-ing to its command line from gnome-terminal windows, and by opening vncviewer windows tunneled over ssh to use some GUI applications I keep running on it at all times. It’s those last interactions where the trouble has manifested.

The primary symptom is that any attempts at executing systemctl --user commands in the LXQT session’s terminal windows result in an instant failure:

$ systemctl --user
Failed to list units: Process org.freedesktop.systemd1 exited with status 1

In addition, most of the user units for my session aren’t being started like they should be when vncserver starts. systemd appears to be extremely broken in the LXQT session / vncserver X11 instance.

I can run sudo systemctl commands just fine (even from the VNC session), and I can use sudo -u ferd systemctl --user commands inside those VNC-hosted terminal windows to talk to some version of my user session manager without the commands crashing. It’s that aspect that led me to the most useful discoveries I’ve made so far about what seems to be happening.

By running all of the commands I mentioned above with SYSTEMD_LOG_LEVEL=debug in the process environment, I see that the difference between the sudo -u ferd comands and the ones without it are that they’re talking to different D-Bus session bus instances — apparently, one of which works, and the other which instantly crashes systemctl.

When run with the sudo wrapper, systemctl connects to a bus manager socket at /run/user/1000/bus and is able to activate and communicate with systemd to manage a user session. Without the sudo -u ferd, systemctl --user is attempting to access a session bus socket located in /tmp/. This d-bus instance, which apparently breaks systemctl, does appear to be the session bus for the LXQT session on the vncserver desktop. It’s owned by /usr/bin/dbus-daemon, and its address is set as the DBUS_SESSION_BUS_ADDRESS in my vncserver-hosted environment:

$ env |grep DBUS
DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/dbus-Qjt4Svew6q,guid=3f27532d8c889c8b4b9

$ sudo -u ferd env|grep DBUS 
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus

$ SYSTEMD_LOG_LEVEL=debug systemctl --user |& grep -E '(bus|error)'     
$XDG_RUNTIME_DIR not set, unable to connect to private bus. Falling back to session bus.
sd-bus: starting bus by connecting to /tmp/dbus-Qjt4Svew6q...
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.70 path=n/a interface=n/a member=n/a  cookie=1 reply_cookie=1 signature=s error-name=n/a error-message=n/a
Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=ListUnitsByPatterns cookie=2 reply_cookie=0 signature=asas error-name=n/a error-message=n/a
Got message type=error sender=org.freedesktop.DBus destination=:1.70 path=n/a interface=n/a member=n/a  cookie=3 reply_cookie=2 signature=s error-name=org.freedesktop.DBus.Error.Spawn.ChildExited error-message=Process org.freedesktop.systemd1 exited with status 1

$ sudo -u ferd SYSTEMD_LOG_LEVEL=debug systemctl --user |& grep -E '(bus|error)'
sd-bus: starting bus by connecting to /run/user/1000/systemd/private...
Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=ListUnitsByPatterns cookie=1 reply_cookie=0 signature=asas error-name=n/a error-message=n/a
Got message type=method_return sender=org.freedesktop.systemd1 destination=n/a path=n/a interface=n/a member=n/a  cookie=1 reply_cookie=1 signature=a(ssssssouso) error-name=n/a error-message=n/a
  dbus-broker.service                                                                      loaded active running   D-Bus User Message Bus
  dbus.socket                                                                              loaded active running   D-Bus User Message Bus Socket

The reason dbus-daemon is running in the vncserver session is, it’s started by /etc/X11/xinit/xinitrc.d/00-start-message-bus.sh when Xvnc starts up:

$ grep -v '^#' /etc/X11/xinit/xinitrc.d/00-start-message-bus.sh
if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
        eval `dbus-launch --sh-syntax --exit-with-session`
fi

But there’s also a dbus-broker daemon running under my UID, apparently started by /usr/lib/systemd/systemd --user , and that appears to be the owner of /run/user/1000/bus:

$ sudo lsof -p 6212 |grep -i bus
systemd 6212 ferd   12u     unix 0x000000006040bea8      0t0      35252 /run/user/1000/bus type=STREAM (LISTEN)
systemd 6212 ferd   26u     unix 0x00000000cde65c0e      0t0      34367 @ecbeecd98f2e02d6/bus/systemd/bus-system type=STREAM (CONNECTED)
systemd 6212 ferd   44u     unix 0x00000000d75cab3c      0t0      38095 @faf1d3104b5def6f/bus/systemd/bus-api-user type=STREAM (CONNECTED)

The dbus-daemon instance is provided by the dbus-daemon package, and the config file that launches it comes from dbus-x11. But I can’t remove either of those packages without them taking major parts of the desktop session with them:

$ sudo dnf remove dbus-x11
Package                   Arch   Version                  Repository        Size
Removing:
 dbus-x11                 x86_64 1:1.16.0-4.fc43          fedora        35.9 KiB
Removing dependent packages:
 firewall-config          noarch 2.3.1-5.fc43             fedora         1.0 MiB
 lxqt-panel               x86_64 2.2.2-3.fc43             updates        5.6 MiB
 lxqt-panel-devel         x86_64 2.2.2-3.fc43             updates       16.7 KiB
 lxqt-runner              x86_64 2.2.0-2.fc43             fedora       420.4 KiB
 lxqt-x11-session         noarch 2.2.0-5.fc43             fedora         6.2 KiB
 system-config-printer    x86_64 1.5.18-16.fc43           fedora         1.8 MiB
 tigervnc-server          x86_64 1.15.0-7.fc43            fedora       613.3 KiB
 tigervnc-server-minimal  x86_64 1.15.0-7.fc43            fedora         2.9 MiB
 xpra                     x86_64 1:6.3.4-1.fc43           updates       26.3 MiB
Removing unused dependencies:
 libgle                   x86_64 3.1.0-36.fc43            fedora       138.8 KiB
 libstatgrab              x86_64 1:0.92.1-14.fc43         fedora       140.2 KiB
 libsysstat               x86_64 1.1.0-3.fc43             fedora       106.3 KiB
 log4cplus                x86_64 2.1.2-3.fc43             fedora         1.3 MiB
 lxqt-globalkeys          x86_64 2.2.0-2.fc43             fedora       797.4 KiB
 lxqt-menu-data           noarch 2.2.0-2.fc43             fedora       195.0 KiB
 python3-lz4              x86_64 4.4.4-3.fc43             fedora         6.1 MiB
 tigervnc-selinux         noarch 1.15.0-7.fc43            fedora        14.8 KiB
 xorg-x11-drv-dummy       x86_64 0.4.1-7.fc43             fedora        29.1 KiB
 xscreensaver             x86_64 1:6.12-3.fc43            fedora         0.0   B
 xscreensaver-base        x86_64 1:6.12-3.fc43            fedora         1.7 MiB
 xscreensaver-extras      x86_64 1:6.12-3.fc43            fedora        10.5 MiB
 xscreensaver-extras-base x86_64 1:6.12-3.fc43            fedora       684.0 KiB
 xscreensaver-gl-base     x86_64 1:6.12-3.fc43            fedora        20.3 KiB
 xscreensaver-gl-extras   x86_64 1:6.12-3.fc43            fedora        40.4 MiB

Transaction Summary:
 Removing:          25 packages

After this operation, 101 MiB will be freed (install 0 B, remove 101 MiB).
Is this ok [y/N]: n
Operation aborted by the user.

$ sudo dnf remove dbus-daemon
Package                                    Arch   Version                 Reposit      Size
Removing:
 dbus-daemon                               x86_64 1:1.16.0-4.fc43         fedora  440.2 KiB
Removing dependent packages:
 dbus-tests                                x86_64 1:1.16.0-4.fc43         fedora    1.8 MiB
 dbus-x11                                  x86_64 1:1.16.0-4.fc43         fedora   35.9 KiB
 firewall-config                           noarch 2.3.1-5.fc43            fedora    1.0 MiB
 gdm                                       x86_64 1:49.1-1.fc43           fedora    5.0 MiB
 gnome-initial-setup                       x86_64 49.0-1.fc43             fedora    1.9 MiB
 gnome-session-wayland-session             x86_64 49.1-1.fc43             fedora   16.2 KiB
 gnome-shell                               x86_64 49.1-2.fc43             updates  13.9 MiB
 gnome-shell-extension-apps-menu           noarch 49.0-2.fc43             fedora   22.1 KiB
 gnome-shell-extension-common              noarch 49.0-2.fc43             fedora  615.4 KiB
 gnome-shell-extension-launch-new-instance noarch 49.0-2.fc43             fedora    1.4 KiB
 gnome-shell-extension-openweather         noarch 121-9.20240421git911737 fedora  575.4 KiB
 gnome-shell-extension-user-theme          noarch 49.0-2.fc43             fedora    7.3 KiB
 lxqt-panel                                x86_64 2.2.2-3.fc43            updates   5.6 MiB
 lxqt-panel-devel                          x86_64 2.2.2-3.fc43            updates  16.7 KiB
 lxqt-runner                               x86_64 2.2.0-2.fc43            fedora  420.4 KiB
 lxqt-x11-session                          noarch 2.2.0-5.fc43            fedora    6.2 KiB
 recoll-gssp                               x86_64 1.43.6-1.fc43           updates  24.5 KiB
 system-config-printer                     x86_64 1.5.18-16.fc43          fedora    1.8 MiB
 tigervnc-server                           x86_64 1.15.0-7.fc43           fedora  613.3 KiB
 tigervnc-server-minimal                   x86_64 1.15.0-7.fc43           fedora    2.9 MiB
 xpra                                      x86_64 1:6.3.4-1.fc43          updates  26.3 MiB
Removing unused dependencies:
 gnome-shell-common                        noarch 49.1-2.fc43             updates  16.4 KiB
 gnome-tour                                x86_64 48.1-3.fc43             fedora    2.4 MiB
 libgle                                    x86_64 3.1.0-36.fc43           fedora  138.8 KiB
 libstatgrab                               x86_64 1:0.92.1-14.fc43        fedora  140.2 KiB
 libsysstat                                x86_64 1.1.0-3.fc43            fedora  106.3 KiB
 log4cplus                                 x86_64 2.1.2-3.fc43            fedora    1.3 MiB
 lxqt-globalkeys                           x86_64 2.2.0-2.fc43            fedora  797.4 KiB
 lxqt-menu-data                            noarch 2.2.0-2.fc43            fedora  195.0 KiB
 python3-lz4                               x86_64 4.4.4-3.fc43            fedora    6.1 MiB
 python3-pam                               noarch 2.0.2-16.fc43           fedora   53.7 KiB
 python3-pydbus                            noarch 0.6.0-33.fc43           fedora  149.4 KiB
 qadwaitadecorations-qt5                   x86_64 0.1.7-2.fc43            updates 151.8 KiB
 qt6-qtwayland-adwaita-decoration          x86_64 6.10.0-2.fc43           updates 126.5 KiB
 tigervnc-selinux                          noarch 1.15.0-7.fc43           fedora   14.8 KiB
 xdg-desktop-portal-gnome                  x86_64 49.0-1.fc43             fedora  963.3 KiB
 xorg-x11-drv-dummy                        x86_64 0.4.1-7.fc43            fedora   29.1 KiB
 xscreensaver                              x86_64 1:6.12-3.fc43           fedora    0.0   B
 xscreensaver-base                         x86_64 1:6.12-3.fc43           fedora    1.7 MiB
 xscreensaver-extras                       x86_64 1:6.12-3.fc43           fedora   10.5 MiB
 xscreensaver-extras-base                  x86_64 1:6.12-3.fc43           fedora  684.0 KiB
 xscreensaver-gl-base                      x86_64 1:6.12-3.fc43           fedora   20.3 KiB
 xscreensaver-gl-extras                    x86_64 1:6.12-3.fc43           fedora   40.4 MiB

Transaction Summary:
 Removing:          44 packages

After this operation, 129 MiB will be freed (install 0 B, remove 129 MiB).
Is this ok [y/N]: n
Operation aborted by the user.

So I’m not sure what to do. Is my vncserver session not supposed to be running dbus-daemon, but instead using the dbus-broker bus that systemd --user starts? Should I just delete the 00-start-message-bus.sh file from the xinitrc.d directory, to prevent it from being started by Xvnc? And why did this only now change, in Fedora 43?

I tested TigerVNC with LXQt on a F43 VM and it works for me:

# Server
VNC_USER="${USER}"
VNC_PASSWD="12345678"
sudo dnf install tigervnc-server lxqt-x11-session lxqt-panel qterminal
sudo tee -a /etc/tigervnc/vncserver-config-defaults << EOF > /dev/null
session=lxqt
EOF
sudo tee -a /etc/tigervnc/vncserver.users << EOF > /dev/null
:3=${VNC_USER}
EOF
mkdir -p -Z ~/.config/tigervnc
vncpasswd -f << EOI > ~/.config/tigervnc/passwd
${VNC_PASSWD}
EOI
chmod go= ~/.config/tigervnc/passwd
sudo systemctl enable vncserver@:3.service
sudo systemctl restart vncserver@:3.service
sudo firewall-cmd --permanent --add-service=vnc-server
sudo firewall-cmd --reload

# Client
sudo dnf install gnome-connections
gnome-connections vnc://server:5903

You can try common workarounds:

• Test a new user with default settings
• Use permissive SELinux mode
• Check integrity of installed packages
• Complete post-upgrade tasks

If the issue persists, check the output:

systemctl --no-pager -n 0 status vncserver@:\*.service
journalctl --no-pager --no-hostname -b -u vncserver@:\*.service
head -v -n -0 ~/.local/state/tigervnc/*.log

Thanks for testing, @vgaetera , much appreciated.

My issue isn’t with tigervnc not working, exactly, though. Were you able to issue systemctl --user commands from a qterminal session running on the vncserver desktop? Did you happen to notice which D-Bus daemon(s) were running for your user session bus, under TigerVNC/LXQT?

Hmm. The other difference is that I have an xstartup script in my $HOME/.config/tigervnc/, probably a remnant of 20 years ago when such things were necessary. That file ends with exec /etc/X11/xinit/xinitrc, which could be the cause of the dbus-daemon launch. I’ll try ripping that out, see if it helps modernize things any.

FTR, removing xstartup made no difference whatsoever, I’m not even sure it was being used when it was there.

I did try creating a new account, which contains nothing but a .ssh directory, a minimal ~/.config/tigervnc/config file, and whatever files are automatically created by the session startup. The situation is exactly the same:

1. I see two session bus managers running:
   • dbus-broker (running as root) started by /usr/bin/dbus-broker-launch
   • dbus-daemon (running as the new user) started by dbus-launch from xinit when the VNC server starts up
2. DBUS_SESSION_BUS_ADDRES contains a /tmp/dbus-* path
3. systemctl --user from the vncserver desktop results in:

   Failed to list units: Process org.freedesktop.systemd1 exited with status 1
   

Ooh — I should also mention, in case it ends up being relevant, that I’m using a tunneled SSH session to access the vncserver. That means:

1. No password or security configuration
2. “localhost” in the config file
3. No firewall changes
4. The client connects using this script:

   #!/bin/sh
   export VNC_VIA_CMD='/usr/bin/ssh -f -L "$L":"$H":"$R" "$G" sleep 2'
   exec /usr/bin/vncviewer localhost:$N -via $SERVER_HOST -FullColor "$@"
   

I suppose it’s possible that establishing an ssh remote session, in the process of connecting to the VNC session, could be causing problems.

One interesting wrinkle: I SSH into the server as my regular user account, not the newly-created secondary account (ferdtest), even when accessing the ferdtest vncserver desktop. Which means that loginctl shows no trace of ferdtest being logged in. Even if I run the command as ferdtest from qterminal on the vncserver desktop, there’s no record of the session I’m (at least in theory) currently occupying!

$ whoami
ferdtest

$ loginctl list-users
 UID USER LINGER STATE 
   0 root no     active
1000 ferd no     active

2 users listed.

$ loginctl list-sessions
SESSION  UID USER SEAT LEADER CLASS         TTY   IDLE SINCE    
   3033 1000 ferd -    423286 user          -     no   -        
   3034 1000 ferd -    423291 manager       -     no   -        
   3937 1000 ferd -    548182 user          pts/0 no   -        
   3942    0 root -    550515 user-early    pts/1 yes  45min ago
   3943 1000 ferd -    549472 user          -     no   -        
   3948    0 root -    550519 manager-early -     no   -        
   3951 1000 ferd -    551002 user          pts/3 yes  31min ago
   3957 1000 ferd -    552287 user          -     no   -        

8 sessions listed.

$ who
ferd     sshd         2025-11-18 19:47 (fe80::REDACTED)
ferd     pts/3        2025-11-18 19:34 (fe80::REDACTED)
root     pts/1        2025-11-18 19:30
ferd     sshd         2025-11-18 19:18 (fe80::REDACTED)
ferd     pts/0        2025-11-18 19:09 (fe80::REDACTED)
ferd     sshd         2025-11-17 00:28 (fe80::REDACTED)

$ ps -ef |grep ferdtest
root      551519       1  0 19:40 ?        00:00:00 /usr/bin/vncsession ferdtest :2
ferdtest  551520  551519  0 19:40 ?        00:00:00 xinit /etc/X11/xinit/Xsession startlxqt -- /usr/bin/Xvnc :2 -localhost -securitytypes none -auth /home/ferdtest/.Xauthority -desktop kardbord:2 (ferdtest) -fp catalogue:/etc/X11/fontpath.d -pn -rfbauth /home/ferdtest/.config/tigervnc/passwd -rfbport 5902
ferdtest  551526  551520  0 19:40 ?        00:00:21 /usr/bin/Xvnc :2 -localhost -securitytypes none -auth /home/ferdtest/.Xauthority -desktop kardbord:2 (ferdtest) -fp catalogue:/etc/X11/fontpath.d -pn -rfbauth /home/ferdtest/.config/tigervnc/passwd -rfbport 5902
ferdtest  551529  551520  0 19:40 ?        00:00:00 lxqt-session
ferdtest  551538       1  0 19:40 ?        00:00:00 dbus-launch --sh-syntax --exit-with-session
ferdtest  551539       1  0 19:40 ?        00:00:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session
ferdtest  551565  551529  0 19:40 ?        00:00:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "startlxqt"
ferdtest  551605       1  0 19:40 ?        00:00:00 /usr/libexec/xdg-desktop-portal
ferdtest  551612       1  0 19:40 ?        00:00:00 /usr/libexec/xdg-permission-store
ferdtest  551618       1  0 19:40 ?        00:00:00 /usr/libexec/xdg-document-portal
root      551625  551618  0 19:40 ?        00:00:00 fusermount3 -o rw,nosuid,nodev,fsname=portal,auto_unmount,subtype=portal -- /home/ferdtest/.cache/doc
ferdtest  551638       1  0 19:40 ?        00:00:00 /usr/libexec/xdg-desktop-portal-gtk
ferdtest  551640  551529  0 19:40 ?        00:00:00 /usr/bin/openbox
ferdtest  551649       1  0 19:40 ?        00:00:00 /usr/libexec/gvfsd
ferdtest  551655       1  0 19:40 ?        00:00:00 /usr/libexec/gvfsd-fuse /home/ferdtest/.gvfs -f
ferdtest  551671  551529  0 19:40 ?        00:00:00 /usr/libexec/geoclue-2.0/demos/agent
ferdtest  551672  551529  0 19:40 ?        00:00:05 /usr/bin/pcmanfm-qt --desktop --profile=lxqt
ferdtest  551673  551529  0 19:40 ?        00:00:00 /usr/bin/lxqt-globalkeysd
ferdtest  551678  551529  0 19:40 ?        00:00:00 /usr/bin/lxqt-notificationd
ferdtest  551679  551529  0 19:40 ?        00:00:19 /usr/bin/lxqt-panel
ferdtest  551680  551529  0 19:40 ?        00:00:00 /usr/libexec/lxqt-policykit-agent
ferdtest  551681  551529  0 19:40 ?        00:00:00 /usr/bin/lxqt-runner
ferdtest  551683  551529  0 19:40 ?        00:00:00 /usr/bin/xscreensaver -no-splash
ferdtest  551685       1  0 19:40 ?        00:00:00 /usr/bin/abrt-applet --gapplication-service
ferdtest  551691  551683  0 19:40 ?        00:00:00 xscreensaver-systemd
ferdtest  551716  551649  0 19:40 ?        00:00:00 /usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
ferdtest  551733  551529  0 19:40 ?        00:00:00 /usr/libexec/evolution-data-server/evolution-alarm-notify
ferdtest  551735  551529  0 19:40 ?        00:00:00 /usr/bin/python3 /usr/share/system-config-printer/applet.py
ferdtest  551737  551529  0 19:40 ?        00:00:00 /usr/bin/python3 -Es /usr/bin/seapplet
ferdtest  551747       1  0 19:40 ?        00:00:00 /usr/libexec/dconf-service
ferdtest  551754       1  0 19:40 ?        00:00:00 /usr/libexec/gvfs-udisks2-volume-monitor
ferdtest  551777       1  0 19:40 ?        00:00:00 /usr/libexec/gvfs-mtp-volume-monitor
ferdtest  551788       1  0 19:40 ?        00:00:00 /usr/libexec/gvfs-goa-volume-monitor
ferdtest  551795       1  0 19:40 ?        00:00:00 /usr/libexec/goa-daemon
ferdtest  551802       1  0 19:40 ?        00:00:00 /usr/libexec/goa-identity-service
ferdtest  551805       1  0 19:40 ?        00:00:00 /usr/libexec/gvfs-gphoto2-volume-monitor
ferdtest  551823       1  0 19:40 ?        00:00:00 /usr/libexec/gvfs-afc-volume-monitor
ferdtest  551834       1  0 19:40 ?        00:00:00 /usr/libexec/evolution-source-registry
ferdtest  551879       1  0 19:40 ?        00:00:00 /usr/libexec/evolution-calendar-factory
ferdtest  551890       1  0 19:40 ?        00:00:00 /usr/libexec/evolution-addressbook-factory
ferdtest  551897       1  0 19:40 ?        00:00:00 /usr/libexec/gvfsd-metadata
ferdtest  552409  551529  0 19:48 ?        00:00:03 /usr/bin/qterminal
ferdtest  552412  552409  0 19:48 pts/4    00:00:00 /bin/bash
ferdtest  554582  552412 99 20:19 pts/4    00:00:00 ps -ef
ferdtest  554583  552412  0 20:19 pts/4    00:00:00 grep --color=auto ferdtest

Yes, it works.

> systemctl --user list-units dbus\* --legend=no
  dbus-broker.service loaded active running D-Bus User Message Bus       
  dbus.socket         loaded active running D-Bus User Message Bus Socket

You can easily verify this hypothesis by testing a direct VNC connection.

I don’t think dbus-daemon would show up in systemctl — it’s started by xinit as a fallback if it doesn’t have access to the user session bus. There’s no unit file for it, and by definition the systemd user session doesn’t register when it’s started.

But you were right about selinux, setting the system permissive allows the VNC desktops to access the systemd session bus and prevents them starting dbus-daemon. It looks like vncsession is getting blocked from accessing the list of processes:

$ sudo sealert -l 27f5f9b3-38db-4a69-9014-3e8697e1b53e
SELinux is preventing /usr/bin/vncsession from getattr access on the filesystem /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that vncsession should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'vncsession' --raw | audit2allow -M my-vncsession
# semodule -X 300 -i my-vncsession.pp


Additional Information:
Source Context                system_u:system_r:vnc_session_t:s0
Target Context                system_u:object_r:pidfs_t:s0
Target Objects                / [ filesystem ]
Source                        vncsession
Source Path                   /usr/bin/vncsession
Port                          <Unknown>
Host                          kardbord
Source RPM Packages           tigervnc-server-1.15.0-7.fc43.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.15-1.fc43.noarch
Local Policy RPM              tigervnc-selinux-1.15.0-7.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     kardbord
Platform                      Linux kardbord 6.17.7-300.fc43.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Nov  2 15:30:09 UTC 2025
                              x86_64
Alert Count                   20
First Seen                    2025-11-07 09:40:03 EST
Last Seen                     2025-11-18 22:28:15 EST
Local ID                      27f5f9b3-38db-4a69-9014-3e8697e1b53e

Raw Audit Messages
type=AVC msg=audit(1763522895.525:1572): avc:  denied  { getattr } for  pid=9577 comm="vncsession" name="/" dev="pidfs" ino=1 scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:pidfs_t:s0 tclass=filesystem permissive=1


type=SYSCALL msg=audit(1763522895.525:1572): arch=x86_64 syscall=fstatfs success=yes exit=0 a0=5 a1=7ffe9998e4b0 a2=50494446 a3=0 items=0 ppid=1 pid=9577 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=44 comm=vncsession exe=/usr/bin/vncsession subj=system_u:system_r:vnc_session_t:s0 key=(null)

Hash: vncsession,vnc_session_t,pidfs_t,filesystem,getattr

I created a policy module with audit2allow and installed it, I’m going to reboot to see if everything comes up correctly with SELinux in enforcing mode now.

Yup, that did it. The added policy:

require {
	type pidfs_t;
	type vnc_session_t;
	class filesystem getattr;
}
#============= vnc_session_t ==============
allow vnc_session_t pidfs_t:filesystem getattr;

Guess I get to go open a bug report. Thanks @vgaetera !