Comment # 3 on bug 1224120 from Andrei Borzenkov 
There are more snapper denials related to using systemd-pcrlock. They do not
cause failures, but they do mean stale pcrlock definitions are left cluttering
the policy. I use local policy override for earlier reported dosfs_t.

Operating System: openSUSE MicroOS
10:~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
10:~ # zypper info selinux-policy
Loading repository data...
Reading installed packages...


Information for package selinux-policy:
---------------------------------------
Repository     : openSUSE-Tumbleweed-Oss
Name           : selinux-policy
Version        : 20240321-1.2
Arch           : noarch
Vendor         : openSUSE
Installed Size : 24.8 KiB
Installed      : Yes (automatically)
Status         : up-to-date
Source package : selinux-policy-20240321-1.2.src
Upstream URL   : https://github.com/fedora-selinux/selinux-policy.git
Summary        : SELinux policy configuration
Description    : 
    SELinux Reference Policy. A complete SELinux policy that can be used
    as the system policy for a variety of systems and used as the basis for
    creating other policies.

10:~ # rpm -q sdbootutil
sdbootutil-1+git20240506.573a6a4-1.1.x86_64
10:~ # rpm -qf /usr/lib/systemd/systemd-pcrlock 
systemd-experimental-255.4-3.1.x86_64
10:~ # ls -l /etc/systemd/tpm2-pcr-public-key.pem
/etc/systemd/tpm2-pcr-private-key.pem
ls: cannot access '/etc/systemd/tpm2-pcr-public-key.pem': No such file or
directory
ls: cannot access '/etc/systemd/tpm2-pcr-private-key.pem': No such file or
directory
10:~ # 

sdbootutil defaults to systemd-pcrlock if is is present and no previous keypair
for the signed policy is present.


10:~ # systemctl start snapper-cleanup.service
10:~ # semodule -B
10:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:137): avc:  denied  { unlink } for  pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62896
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:138): avc:  denied  { unlink } for  pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62888
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:139): avc:  denied  { unlink } for  pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62892
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:140): avc:  denied  { unlink } for  pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62890
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:141): avc:  denied  { unlink } for  pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62894
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.667:142): avc:  denied  { unlink } for  pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62900
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:143): avc:  denied  { unlink } for  pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62898
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:144): avc:  denied  { unlink } for  pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62902
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:145): avc:  denied  { unlink } for  pid=1436
comm="rm" name="generated.pcrlock" dev="dm-0" ino=62904
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:146): avc:  denied  { unlink } for  pid=1436
comm="rm" name="641-sdboot-loader-conf.pcrlock" dev="dm-0" ino=62905
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:147): avc:  denied  { unlink } for  pid=1436
comm="rm" name="linux-1.pcrlock" dev="dm-0" ino=62907
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:148): avc:  denied  { unlink } for  pid=1436
comm="rm" name="cmdline-1.pcrlock" dev="dm-0" ino=62911
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:149): avc:  denied  { unlink } for  pid=1436
comm="rm" name="cmdline-2.pcrlock" dev="dm-0" ino=62913
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:150): avc:  denied  { unlink } for  pid=1436
comm="rm" name="cmdline-initrd-1.pcrlock" dev="dm-0" ino=62909
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Sun May 12 08:27:21 2024
type=AVC msg=audit(1715491641.670:151): avc:  denied  { unlink } for  pid=1436
comm="rm" name="cmdline-initrd-2.pcrlock" dev="dm-0" ino=62912
scontext=system_u:system_r:snapperd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
10:~ # systemctl status --no-pager --full snapper-cleanup.service
○ snapper-cleanup.service - Daily Cleanup of Snapper Snapshots
     Loaded: loaded (/usr/lib/systemd/system/snapper-cleanup.service; static)
     Active: inactive (dead) since Sun 2024-05-12 08:27:24 MSK; 1min 24s ago
   Duration: 4.244s
TriggeredBy: ● snapper-cleanup.timer
       Docs: man:snapper(8)
             man:snapper-configs(5)
    Process: 1405 ExecStart=/usr/lib/snapper/systemd-helper --cleanup
(code=exited, status=0/SUCCESS)
   Main PID: 1405 (code=exited, status=0/SUCCESS)
        CPU: 47ms

May 12 08:27:20 10.0.2.15 systemd[1]: Started Daily Cleanup of Snapper
Snapshots.
May 12 08:27:20 10.0.2.15 systemd-helper[1405]: running cleanup for 'root'.
May 12 08:27:20 10.0.2.15 systemd-helper[1405]: running number cleanup for
'root'.
May 12 08:27:24 10.0.2.15 systemd-helper[1405]: running timeline cleanup for
'root'.
May 12 08:27:24 10.0.2.15 systemd-helper[1405]: running empty-pre-post cleanup
for 'root'.
May 12 08:27:24 10.0.2.15 systemd[1]: snapper-cleanup.service: Deactivated
successfully.
10:~ #

You are receiving this mail because: