What | Removed | Added |
---|---|---|
Status | NEW | CONFIRMED |
CC | aplanas@suse.com | |
Flags | needinfo?(gayane.osipyan@suse.com) |
I reproduced this issue. The problem is this: sdbootutil is adding a new snapper plugin in "/usr/lib/snapper/plugins/10-sdbootutil.snapper". This is a bash script that will be called by snapper when a new snapsot is created or removed, for example. When a snapshot gets removed, the plugin this calls '/usr/bin/sdbootutil remove-all-kernels "$num"', to clean the kernel and the boot loader entries from the image. If I execute the command from outside snapper, this works and the entry gets removed, but when is snapper the one that calls it, selinux complains. To fully reproduce it from the sdboot image that is in https://build.opensuse.org/package/show/devel:microos:images/openSUSE-MicroOS # After installation, install any package transactional-update pkg in emacs-nox # Lets assume that this created a new transaction with id "2" snapper ls # The new transaction should be the default, we switch back to "1" as default btrfs subvolume list -o /.snapshots btrfs subvolume set-default 258 /.snapshots # Now we can remove the snapshot snapper rm 2 This last command will trigger the remove-all-kernels, that fails with: bootctl unlink opensuse-microos-6.9.3-1-default-2.conf opensuse-microos-6.9.3-1-default-2.conf is the default boot entry Failed to remove "/boot/efi/loader/entries/opensuse-microos-6.9.3-1-default-2.conf": Permission denied You can see in the selinux side this: semodule -DB ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot ---- time->Wed Jun 5 20:04:56 2024 type=AVC msg=audit(1717610696.275:408): avc: denied { unlink } for pid=9576 comm="bootctl" name="opensuse-microos-6.9.3-1-default-2.conf" dev="vda2" ino=59 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0 So snapper should have permissions to access bootctl or something like that