(In reply to Alberto Planas Dominguez from comment #6) > > So snapper should have permissions to access bootctl or something like that I have these overrides that eliminate all denials on MicroOS systemd-boot image. Not sure how secure they are. #============= snapperd_t ============== allow snapperd_t dosfs_t:file unlink; allow snapperd_t var_lib_t:file unlink; allow snapperd_t init_exec_t:file { execute execute_no_trans }; #============= systemd_fstab_generator_t ============== allow systemd_fstab_generator_t init_t:bpf { map_read map_write }; #============= systemd_gpt_generator_t ============== allow systemd_gpt_generator_t init_t:bpf { map_read map_write };