Comment # 6 on bug 1224149 from Alberto Planas Dominguez

I reproduced this issue. The problem is this: sdbootutil is adding a new
snapper plugin in "/usr/lib/snapper/plugins/10-sdbootutil.snapper". This is a
bash script that will be called by snapper when a new snapsot is created or
removed, for example.

When a snapshot gets removed, the plugin this calls '/usr/bin/sdbootutil
remove-all-kernels "$num"', to clean the kernel and the boot loader entries
from the image.

If I execute the command from outside snapper, this works and the entry gets
removed, but when is snapper the one that calls it, selinux complains.

To fully reproduce it from the sdboot image that is in
https://build.opensuse.org/package/show/devel:microos:images/openSUSE-MicroOS

# After installation, install any package
transactional-update pkg in emacs-nox

# Lets assume that this created a new transaction with id "2"
snapper ls

# The new transaction should be the default, we switch back to "1" as default
btrfs subvolume list -o /.snapshots
btrfs subvolume set-default 258 /.snapshots

# Now we can remove the snapshot
snapper rm 2

This last command will trigger the remove-all-kernels, that fails with:

bootctl unlink opensuse-microos-6.9.3-1-default-2.conf
opensuse-microos-6.9.3-1-default-2.conf is the default boot entry
Failed to remove
"/boot/efi/loader/entries/opensuse-microos-6.9.3-1-default-2.conf": Permission
denied

You can see in the selinux side this:

semodule -DB
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot

----
time->Wed Jun  5 20:04:56 2024
type=AVC msg=audit(1717610696.275:408): avc:  denied  { unlink } for  pid=9576
comm="bootctl" name="opensuse-microos-6.9.3-1-default-2.conf" dev="vda2" ino=59
scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0
tclass=file permissive=0


So snapper should have permissions to access bootctl or something like that