https://bugzilla.suse.com/show_bug.cgi?id=1224149
https://bugzilla.suse.com/show_bug.cgi?id=1224149#c9
--- Comment #9 from Alberto Planas Dominguez
(In reply to Alberto Planas Dominguez from comment #6)
So snapper should have permissions to access bootctl or something like that
This AVC denial has been firstly reported in bsc#1224120 and I have been looking into that and also it can be reproduced even without TPM2 `systemd-pcrlock` and FDE. So I would keep it separated and this unlink AVC handle in bsc#1224120.
Would help if I copy the comment in the other bug? Both bugs has the same root cause: the snapper plugin is calling sdbootutil in different stages: when the snapshot is created or deleted. In both cases bootctl is called and if FDE is set, pcr-oracle or systemd-pcrlock is also called to add or remove files. Would be OK if all those fixes come together? -- You are receiving this mail because: You are on the CC list for the bug.