With our current fedora-44 CI image, I can observe this: $ ssh c "systemctl --machine=admin@" Warning: Permanently added '[127.0.0.2]:2201' (ED25519) to the list of known hosts. Failed to start transient service unit: Connection reset by peer Failed to start transient service unit: Transport endpoint is not connected Here "c" is a virtual machine running the fedora-44 CI image. When I log into the machine normally and then execute the same command in the shell, it works: $ ssh c Warning: Permanently added '[127.0.0.2]:2201' (ED25519) to the list of known hosts. Web console: https://fedora-44-127-0-0-2-2201:9090/ Last login: Thu Apr 23 06:03:01 2026 from 172.27.0.2 [root@fedora-44-127-0-0-2-2201 ~]# systemctl --machine=admin@ UNIT LOAD ACTIVE SUB DESCRIPTION proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point [...] Without the "--machine admin@" or with "--machine root@", it also works as expected. Here are the details from sealert: # sealert -l 81ca8426-05fc-42fe-977e-07c7e19c8ee5 SELinux is preventing dbus-broker from write access on the fifo_file fifo_file. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dbus-broker should be allowed write access on the fifo_file fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dbus-broker' --raw | audit2allow -M my-dbusbroker # semodule -X 300 -i my-dbusbroker.pp Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Context system_u:system_r:sshd_session_t:s0-s0:c0.c1023 Target Objects fifo_file [ fifo_file ] Source dbus-broker Source Path dbus-broker Port <Unknown> Host fedora-44-127-0-0-2-2201 Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-43.3-1.fc44.noarch Local Policy RPM selinux-policy-targeted-43.3-1.fc44.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora-44-127-0-0-2-2201 Platform Linux fedora-44-127-0-0-2-2201 6.19.10-300.fc44.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 25 18:23:49 UTC 2026 x86_64 Alert Count 3 First Seen 2026-04-23 06:02:07 UTC Last Seen 2026-04-23 06:03:06 UTC Local ID 81ca8426-05fc-42fe-977e-07c7e19c8ee5 Raw Audit Messages type=AVC msg=audit(1776924186.837:537): avc: denied { write } for pid=753 comm="dbus-broker" path="pipe:[19809]" dev="pipefs" ino=19809 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 Hash: dbus-broker,system_dbusd_t,sshd_session_t,fifo_file,write The PID 753 is the system dbus-broker. Reproducible: Always
Ah, the versions. selinux-policy-43.3-1.fc44.noarch
I can observe the same behavior with a VM running this image: https://download.fedoraproject.org/pub/fedora/linux/releases/test/44_Beta/Server/x86_64/images/Fedora-Server-Guest-Generic-44_Beta-1.2.x86_64.qcow2 It has selinux-policy-42.23-1.fc44.noarch
> $ ssh c "systemctl --machine=admin@" I should say that this logs in as "root".