Bug 2359546

Summary: SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from 'write' accesses on the directory /user.
Product: [Fedora] Fedora Reporter: Mikhail <mikhail.v.gavrilov>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: algonell, chplee, decathorpe, dwalsh, lvrabec, mikhail.v.gavrilov, mmalik, nixuser, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Flags: zpytela: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:586d3b46355baf9a564c26077d3eed507b5c8ed161e34802c53f95664c2e319b;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-41.38-1.fc42 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-04-23 01:48:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: description
none
File: os_info none

Description Mikhail 2025-04-14 16:39:01 UTC 
Description of problem:
SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from 'write' accesses on the directory /user.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/user default label should be default_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /user

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that systemd-user-runtime-dir should be allowed write access on the user directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru
# semodule -X 300 -i my-systemduserru.pp

Additional Information:
Source Context                system_u:system_r:systemd_user_runtimedir_t:s0
Target Context                system_u:object_r:config_home_t:s0
Target Objects                /user [ dir ]
Source                        systemd-user-ru
Source Path                   /usr/lib/systemd/systemd-user-runtime-dir
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-257.5-2.fc43.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.37-1.fc43.noarch
Local Policy RPM              selinux-policy-targeted-41.37-1.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 6.14.0-01-
                              1e26c5e28ca5821a824e90dd359556f5e9e7b89f+ #6 SMP
                              PREEMPT_DYNAMIC Sat Apr 12 02:36:28 +05 2025
                              x86_64
Alert Count                   1
First Seen                    2025-04-14 19:01:51 +05
Last Seen                     2025-04-14 19:01:51 +05
Local ID                      0ee3858e-936e-4159-ad58-947e7eecefa5

Raw Audit Messages
type=AVC msg=audit(1744639311.767:222): avc:  denied  { write } for  pid=3984 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=65 scontext=system_u:system_r:systemd_user_runtimedir_t:s0 tcontext=system_u:object_r:config_home_t:s0 tclass=dir permissive=1


type=AVC msg=audit(1744639311.767:222): avc:  denied  { remove_name } for  pid=3984 comm="systemd-user-ru" name="user" dev="tmpfs" ino=66 scontext=system_u:system_r:systemd_user_runtimedir_t:s0 tcontext=system_u:object_r:config_home_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1744639311.767:222): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=5 a1=5599d77f6543 a2=0 a3=4 items=2 ppid=1 pid=3984 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_user_runtimedir_t:s0 key=(null)

type=CWD msg=audit(1744639311.767:222): cwd=/

type=PATH msg=audit(1744639311.767:222): item=0 name=/ inode=65 dev=00:4f mode=040700 ouid=42 ogid=42 rdev=00:00 obj=system_u:object_r:config_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1744639311.767:222): item=1 name=user inode=66 dev=00:4f mode=0100600 ouid=42 ogid=42 rdev=00:00 obj=system_u:object_r:config_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Hash: systemd-user-ru,systemd_user_runtimedir_t,config_home_t,dir,write

Version-Release number of selected component:
selinux-policy-targeted-41.37-1.fc43.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from 'write' accesses on the directory /user.
package:        selinux-policy-targeted-41.37-1.fc43.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.14.0-01-1e26c5e28ca5821a824e90dd359556f5e9e7b89f+
component:      selinux-policy
Comment 1 Mikhail 2025-04-14 16:39:03 UTC 
Created attachment 2084953 [details]
File: description
Comment 2 Mikhail 2025-04-14 16:39:05 UTC 
Created attachment 2084954 [details]
File: os_info
Comment 3 Zdenek Pytela 2025-04-14 20:59:10 UTC 
*** Bug 2359548 has been marked as a duplicate of this bug. ***
Comment 4 Zdenek Pytela 2025-04-14 20:59:23 UTC 
*** Bug 2359547 has been marked as a duplicate of this bug. ***
Comment 5 Zdenek Pytela 2025-04-16 16:58:53 UTC 
*** Bug 2360323 has been marked as a duplicate of this bug. ***
Comment 6 Zdenek Pytela 2025-04-16 17:05:14 UTC 
*** Bug 2360325 has been marked as a duplicate of this bug. ***
Comment 7 Zdenek Pytela 2025-04-17 07:42:51 UTC 
*** Bug 2360517 has been marked as a duplicate of this bug. ***
Comment 8 Fedora Update System 2025-04-21 08:44:13 UTC 
FEDORA-2025-c6621cb65e (selinux-policy-41.38-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-c6621cb65e
Comment 9 Fedora Update System 2025-04-22 01:45:27 UTC 
FEDORA-2025-c6621cb65e has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-c6621cb65e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-c6621cb65e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Zdenek Pytela 2025-04-22 06:12:56 UTC 
*** Bug 2360953 has been marked as a duplicate of this bug. ***
Comment 11 Zdenek Pytela 2025-04-22 06:13:03 UTC 
*** Bug 2360954 has been marked as a duplicate of this bug. ***
Comment 12 Zdenek Pytela 2025-04-22 06:13:21 UTC 
*** Bug 2360910 has been marked as a duplicate of this bug. ***
Comment 13 Andrew Kreimer 2025-04-22 07:39:50 UTC 
Thanks, there are no errors/notifications since the update.
Comment 14 Fedora Update System 2025-04-23 01:48:21 UTC 
FEDORA-2025-c6621cb65e (selinux-policy-41.38-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.