https://bugzilla.suse.com/show_bug.cgi?id=1228380 https://bugzilla.suse.com/show_bug.cgi?id=1228380#c7 --- Comment #7 from pallas wept <pallaswept@proton.me> --- (In reply to Cathy Hu from comment #6)

does `ls -alZ /usr/lib/snapper/plugins/grub` show you snapper_grub_plugin_exec_t as type?

It wasn't! You're a genius.

if not try `touch /.autorelabel` and reboot and check if AVCs are still there.

That's fixed it. I'm sure I did this during installation, it was in the instructions and it took a long time and I was sweating the whole time, I could not forget it :D

also, could you please attach the AVCs? thanks a lot!

I'm sorry I'm a bit noob at this, would you mind telling me the command to get the file to attach? I was going to attach the output of ` sudo ausearch -m AVC,USER_AVC -c snapper -c grub >~/Desktop/ausearch.txt ` It's ~7MB and I feel like maybe I'm doing it wrong, perhaps there's a way to filter out all the dupes? I could filter it to just today, and that will capture all the different states. While I have been writing this, I have noticed a new grub-/snapper related message which has appeared since the relabel. This shows the two messages which I reported here, then it stops when I added that module earlier, then just before 19:17, I remove it, touch /.autorelabel, and reboot. Since then I am seeing bursts of the last alert over and over ---- time->Thu Aug 1 13:00:06 2024 type=AVC msg=audit(1722481206.970:1967): avc: denied { execute_no_trans } for pid=48339 comm="grub" path="/usr/bin/grub2-mkrelpath" dev="nvme0n1p2" ino=4261726 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=0 ---- time->Thu Aug 1 13:00:06 2024 type=AVC msg=audit(1722481206.970:1968): avc: denied { execute_no_trans } for pid=48342 comm="grub" path="/usr/bin/grub2-script-check" dev="nvme0n1p2" ino=4261732 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=0 ---- time->Thu Aug 1 19:17:34 2024 type=AVC msg=audit(1722503854.212:204): avc: denied { search } for pid=14253 comm="grub" name="nscd" dev="tmpfs" ino=4234 scontext=system_u:system_r:snapper_grub_plugin_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir permissive=0 ---- time->Thu Aug 1 19:17:34 2024 type=AVC msg=audit(1722503854.212:205): avc: denied { search } for pid=14253 comm="grub" name="nscd" dev="tmpfs" ino=4234 scontext=system_u:system_r:snapper_grub_plugin_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir permissive=0 ---- This looks different, is less in volume, and the original two messages are gone, should I file a new bug for that? -- You are receiving this mail because: You are on the CC list for the bug.