I can get boot counting to work with the image and then adding a boot loader entry like this: cp /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2.conf /boot/efi/loader/entries/opensuse-microos-6.11.8-1-default-2+3.conf the "+3" activates boot counting for me when I boot this entry, but even then I don't see the denial. For me the service starts fine. But in the end the denial you see makes sense and init should be able to manage files there. Please give the policy in https://build.opensuse.org/package/show/home:jsegitz:branches:security:SELinux_bsc1232527/selinux-policy a try transactional-update shell zypper ar -p 80 https://download.opensuse.org/repositories/home:/jsegitz:/branches:/security:/SELinux_bsc1232527/openSUSE_Factory/home:jsegitz:branches:security:SELinux_bsc1232527.repo zypper in --allow-vendor-change selinux-policy-targeted exit reboot