Comment # 8 on bug 1232527 from Danilo Spinella 
(In reply to Johannes Segitz from comment #7)
> I can get boot counting to work with the image and then adding a
> boot loader entry like this:
> cp /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2.conf
> /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2+3.conf
> the "+3" activates boot counting for me when I boot this entry, but even
> then I don't see the denial. For me the service starts fine.

Does the entry get renamed? With the provided image, the boot counting should
be enabled after installing health-checker (because it provides
/etc/kernel/tries); enabling it manually works but makes me wonder what have
gone wrong. Also, I think that copying might confuse the boot counting, as
there is an entry with boot counting and another entry marked as good.

> 
> But in the end the denial you see makes sense and init should be able to
> manage files there. Please give the policy in
> https://build.opensuse.org/package/show/home:jsegitz:branches:security:
> SELinux_bsc1232527/selinux-policy a try
> 
> transactional-update shell
> zypper ar -p 80
> https://download.opensuse.org/repositories/home:/jsegitz:/branches:/security:
> /SELinux_bsc1232527/openSUSE_Factory/home:jsegitz:branches:security:
> SELinux_bsc1232527.repo
> zypper in --allow-vendor-change selinux-policy-targeted
> exit
> reboot

Thanks Johannes, I'll try it asap.

You are receiving this mail because: