"SELinux has detected a problem." with "systemd-user-ru" at every boot

I have freshly installed Fedora 42 KDE Plasma Desktop Edition on my laptop a few days ago. After a while, I started getting a notification from SELinux Troubleshooter at every boot. Though, it disappears so fast that I cannot quite catch it and it does not persist in history.

Opening the app itself, I get the same three alerts each time:

First:

SELinux is preventing systemd-user-ru from write access on the directory dconf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-user-ru should be allowed write access on the dconf directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru
# semodule -X 300 -i my-systemduserru.pp

Additional Information:
Source Context                system_u:system_r:systemd_user_runtimedir_t:s0
Target Context                system_u:object_r:config_home_t:s0
Target Objects                dconf [ dir ]
Source                        systemd-user-ru
Source Path                   systemd-user-ru
Port                          <Unknown>
Host                          Hostname
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.37-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-41.37-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Hostname
Platform                      Linux Hostname 6.14.2-300.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 10 21:50:55 UTC 2025
                              x86_64
Alert Count                   1
First Seen                    2025-04-21 01:19:14 +04
Last Seen                     2025-04-21 01:19:14 +04
Local ID                      c690a6d5-af46-48f8-a547-353296905416

Raw Audit Messages
type=AVC msg=audit(1745183954.210:189): avc:  denied  { write } for  pid=3368 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=70 scontext=system_u:system_r:systemd_user_runtimedir_t:s0 tcontext=system_u:object_r:config_home_t:s0 tclass=dir permissive=1


Hash: systemd-user-ru,systemd_user_runtimedir_t,config_home_t,dir,write

Second:

SELinux is preventing systemd-user-ru from remove_name access on the directory user.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-user-ru should be allowed remove_name access on the user directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru
# semodule -X 300 -i my-systemduserru.pp

Additional Information:
Source Context                system_u:system_r:systemd_user_runtimedir_t:s0
Target Context                system_u:object_r:config_home_t:s0
Target Objects                user [ dir ]
Source                        systemd-user-ru
Source Path                   systemd-user-ru
Port                          <Unknown>
Host                          Hostname
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.37-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-41.37-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Hostname
Platform                      Linux Hostname 6.14.2-300.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 10 21:50:55 UTC 2025
                              x86_64
Alert Count                   1
First Seen                    2025-04-21 01:19:14 +04
Last Seen                     2025-04-21 01:19:14 +04
Local ID                      4bc4b566-cfb7-45d4-8f84-990b68d77afa

Raw Audit Messages
type=AVC msg=audit(1745183954.210:190): avc:  denied  { remove_name } for  pid=3368 comm="systemd-user-ru" name="user" dev="tmpfs" ino=71 scontext=system_u:system_r:systemd_user_runtimedir_t:s0 tcontext=system_u:object_r:config_home_t:s0 tclass=dir permissive=1


Hash: systemd-user-ru,systemd_user_runtimedir_t,config_home_t,dir,remove_name

Third:

SELinux is preventing systemd-user-ru from rmdir access on the directory dconf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-user-ru should be allowed rmdir access on the dconf directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru
# semodule -X 300 -i my-systemduserru.pp

Additional Information:
Source Context                system_u:system_r:systemd_user_runtimedir_t:s0
Target Context                system_u:object_r:config_home_t:s0
Target Objects                dconf [ dir ]
Source                        systemd-user-ru
Source Path                   systemd-user-ru
Port                          <Unknown>
Host                          Hostname
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.37-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-41.37-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Hostname
Platform                      Linux Hostname 6.14.2-300.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 10 21:50:55 UTC 2025
                              x86_64
Alert Count                   1
First Seen                    2025-04-21 01:19:14 +04
Last Seen                     2025-04-21 01:19:14 +04
Local ID                      383155d3-6432-44f1-ab34-433b720efc99

Raw Audit Messages
type=AVC msg=audit(1745183954.210:191): avc:  denied  { rmdir } for  pid=3368 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=70 scontext=system_u:system_r:systemd_user_runtimedir_t:s0 tcontext=system_u:object_r:config_home_t:s0 tclass=dir permissive=1


Hash: systemd-user-ru,systemd_user_runtimedir_t,config_home_t,dir,rmdir

I vaguely remember using rmdir on a folder in my home directory before these alerts started happening, but I am not sure if they are related.

This does not pose any usability issues, but I also don’t believe this is an intended behavior.

System details:

• Operating System: Fedora Linux 42
• KDE Plasma Version: 6.3.4
• KDE Frameworks Version: 6.13.0
• Qt Version: 6.9.0
• Kernel Version: 6.14.2-300.fc42.x86_64 (64-bit)
• Graphics Platform: Wayland
• Processors: 16 × AMD Ryzen AI 7 PRO 360 w/ Radeon 880M
• Memory: 30.5 GiB of RAM
• Graphics Processor: AMD Radeon Graphics
• Manufacturer: LENOVO
• Product Name: 21M1001WUS
• System Version: ThinkPad T14s Gen 6

It looks like a patch for this was submitted 4 days ago:

The patch was tagged as v41.38 four days ago, but this version is not yet packaged. I checked a few previous versions and they were packaged the same day as they were tagged. I wonder if there is a specific reason this one was held back?

It is in testing:

https://bodhi.fedoraproject.org/updates/FEDORA-2025-c6621cb65e

You should be able to install it now (and test it) with dnf --repo=updates-testing update selinux-policy. If it solves this problem, you might consider giving the update a positive vote in bodhi to help it get through to the stable repo a bit quicker.

Thanks.

I tried the following, but dnf did not find any updates:

~$ sudo dnf --repo=updates-testing update selinux-policy
Updating and loading repositories:
Repositories loaded.
Nothing to do.

Fortunately, I was able download rpm packages manually. And I can confirm, with selinux-policy-41.38-1 these alerts don’t come up anymore.

Thanks a lot, @glb !

having the same problem. where did you find the rpm

thanks,
john

Hi.

The package have been pushed to the testing repository. You can use the provided command to update them.

thank you

john

I’m seeing the same error message at every login on f41 - probably the same issue. Here is the update in testing for pre Adams (aka 41): FEDORA-2025-36084ab074 — bugfix update for selinux-policy — Fedora Updates System