There are more snapper denials related to using systemd-pcrlock. They do not cause failures, but they do mean stale pcrlock definitions are left cluttering the policy. I use local policy override for earlier reported dosfs_t. Operating System: openSUSE MicroOS 10:~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 10:~ # zypper info selinux-policy Loading repository data... Reading installed packages... Information for package selinux-policy: --------------------------------------- Repository : openSUSE-Tumbleweed-Oss Name : selinux-policy Version : 20240321-1.2 Arch : noarch Vendor : openSUSE Installed Size : 24.8 KiB Installed : Yes (automatically) Status : up-to-date Source package : selinux-policy-20240321-1.2.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Summary : SELinux policy configuration Description : SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. 10:~ # rpm -q sdbootutil sdbootutil-1+git20240506.573a6a4-1.1.x86_64 10:~ # rpm -qf /usr/lib/systemd/systemd-pcrlock systemd-experimental-255.4-3.1.x86_64 10:~ # ls -l /etc/systemd/tpm2-pcr-public-key.pem /etc/systemd/tpm2-pcr-private-key.pem ls: cannot access '/etc/systemd/tpm2-pcr-public-key.pem': No such file or directory ls: cannot access '/etc/systemd/tpm2-pcr-private-key.pem': No such file or directory 10:~ # sdbootutil defaults to systemd-pcrlock if is is present and no previous keypair for the signed policy is present. 10:~ # systemctl start snapper-cleanup.service 10:~ # semodule -B 10:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:137): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62896 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:138): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62888 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:139): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62892 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:140): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62890 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:141): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62894 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.667:142): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62900 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:143): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62898 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:144): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62902 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:145): avc: denied { unlink } for pid=1436 comm="rm" name="generated.pcrlock" dev="dm-0" ino=62904 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:146): avc: denied { unlink } for pid=1436 comm="rm" name="641-sdboot-loader-conf.pcrlock" dev="dm-0" ino=62905 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:147): avc: denied { unlink } for pid=1436 comm="rm" name="linux-1.pcrlock" dev="dm-0" ino=62907 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:148): avc: denied { unlink } for pid=1436 comm="rm" name="cmdline-1.pcrlock" dev="dm-0" ino=62911 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:149): avc: denied { unlink } for pid=1436 comm="rm" name="cmdline-2.pcrlock" dev="dm-0" ino=62913 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:150): avc: denied { unlink } for pid=1436 comm="rm" name="cmdline-initrd-1.pcrlock" dev="dm-0" ino=62909 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- time->Sun May 12 08:27:21 2024 type=AVC msg=audit(1715491641.670:151): avc: denied { unlink } for pid=1436 comm="rm" name="cmdline-initrd-2.pcrlock" dev="dm-0" ino=62912 scontext=system_u:system_r:snapperd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 10:~ # systemctl status --no-pager --full snapper-cleanup.service ○ snapper-cleanup.service - Daily Cleanup of Snapper Snapshots Loaded: loaded (/usr/lib/systemd/system/snapper-cleanup.service; static) Active: inactive (dead) since Sun 2024-05-12 08:27:24 MSK; 1min 24s ago Duration: 4.244s TriggeredBy: ● snapper-cleanup.timer Docs: man:snapper(8) man:snapper-configs(5) Process: 1405 ExecStart=/usr/lib/snapper/systemd-helper --cleanup (code=exited, status=0/SUCCESS) Main PID: 1405 (code=exited, status=0/SUCCESS) CPU: 47ms May 12 08:27:20 10.0.2.15 systemd[1]: Started Daily Cleanup of Snapper Snapshots. May 12 08:27:20 10.0.2.15 systemd-helper[1405]: running cleanup for 'root'. May 12 08:27:20 10.0.2.15 systemd-helper[1405]: running number cleanup for 'root'. May 12 08:27:24 10.0.2.15 systemd-helper[1405]: running timeline cleanup for 'root'. May 12 08:27:24 10.0.2.15 systemd-helper[1405]: running empty-pre-post cleanup for 'root'. May 12 08:27:24 10.0.2.15 systemd[1]: snapper-cleanup.service: Deactivated successfully. 10:~ #