(In reply to Zdenek Kubala from comment #8) > (In reply to Alberto Planas Dominguez from comment #6) > > So snapper should have permissions to access bootctl or something like that > > This AVC denial has been firstly reported in bsc#1224120 and I have been > looking into that and also it can be reproduced even without TPM2 > `systemd-pcrlock` and FDE. So I would keep it separated and this unlink AVC > handle in bsc#1224120. Would help if I copy the comment in the other bug? Both bugs has the same root cause: the snapper plugin is calling sdbootutil in different stages: when the snapshot is created or deleted. In both cases bootctl is called and if FDE is set, pcr-oracle or systemd-pcrlock is also called to add or remove files. Would be OK if all those fixes come together?