https://bugzilla.suse.com/show_bug.cgi?id=1232527 https://bugzilla.suse.com/show_bug.cgi?id=1232527#c8 --- Comment #8 from Danilo Spinella <danilo.spinella@suse.com> --- (In reply to Johannes Segitz from comment #7)
I can get boot counting to work with the image and then adding a boot loader entry like this: cp /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2.conf /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2+3.conf the "+3" activates boot counting for me when I boot this entry, but even then I don't see the denial. For me the service starts fine.
Does the entry get renamed? With the provided image, the boot counting should be enabled after installing health-checker (because it provides /etc/kernel/tries); enabling it manually works but makes me wonder what have gone wrong. Also, I think that copying might confuse the boot counting, as there is an entry with boot counting and another entry marked as good.
But in the end the denial you see makes sense and init should be able to manage files there. Please give the policy in https://build.opensuse.org/package/show/home:jsegitz:branches:security: SELinux_bsc1232527/selinux-policy a try
transactional-update shell zypper ar -p 80 https://download.opensuse.org/repositories/home:/jsegitz:/branches:/security: /SELinux_bsc1232527/openSUSE_Factory/home:jsegitz:branches:security: SELinux_bsc1232527.repo zypper in --allow-vendor-change selinux-policy-targeted exit reboot
Thanks Johannes, I'll try it asap. -- You are receiving this mail because: You are on the CC list for the bug.