Comment # 7 on bug 1224149 from Andrei Borzenkov 
(In reply to Alberto Planas Dominguez from comment #6)
> 
> So snapper should have permissions to access bootctl or something like that

I have these overrides that eliminate all denials on MicroOS systemd-boot
image. Not sure how secure they are.

#============= snapperd_t ==============

allow snapperd_t dosfs_t:file unlink;
allow snapperd_t var_lib_t:file unlink;
allow snapperd_t init_exec_t:file { execute execute_no_trans };

#============= systemd_fstab_generator_t ==============

allow systemd_fstab_generator_t init_t:bpf { map_read map_write };

#============= systemd_gpt_generator_t ==============

allow systemd_gpt_generator_t init_t:bpf { map_read map_write };

You are receiving this mail because: