Hello folks. Recently I found that no new entries have been created for new snapshots, and /var/snapper/snapper.log
seemed fine. Thus I come here to seek your help.
Currently # snapper list
shows:
# │ Type │ Pre # │ Date │ User │ Used Space │ Cleanup │ Description │ Userdata
─────┼────────┼───────┼──────────────────────────┼──────┼────────────┼─────────┼───────────────────────┼─────────
0 │ single │ │ │ root │ │ │ current │
296* │ single │ │ Tue May 7 23:23:18 2024 │ root │ 3.93 GiB │ │ writable copy of #294 │
and # sdbootutil list-snapshots
shows:
296 writable copy of #294
and # sdbootutil list-entries
shows:
opensuse-tumbleweed-6.11.0-1-default-296.conf
all of which are expected.
However, if I try to create a new snapshot by # snapper create
, # snapper list
now shows:
# │ Type │ Pre # │ Date │ User │ Used Space │ Cleanup │ Description │ Userdata
─────┼────────┼───────┼──────────────────────────┼──────┼────────────┼─────────┼───────────────────────┼─────────
0 │ single │ │ │ root │ │ │ current │
296* │ single │ │ Tue May 7 23:23:18 2024 │ root │ 16.00 KiB │ │ writable copy of #294 │
297 │ single │ │ Mon Oct 7 21:40:13 2024 │ root │ 16.00 KiB │ │ │
and # sdbootutil list-snapshots
shows:
296 writable copy of #294
!297
Notice that !
at the start of the line. If I dig into sdbootutil
tui interface, it shows
that the kernel is missing.
And no new entry is created, therefore # sdbootutil list-entries
still shows
opensuse-tumbleweed-6.11.0-1-default-296.conf
During the snapshot creation, /var/log/snapper.log
shows that
snapper.log
2024-10-07 21:46:48 WAR libsnapper(8306) FileUtils.cc(SDir):88 - THROW: open failed path://.snapshots/297 errno:2 (No such file or director
y)
2024-10-07 21:46:48 WAR libsnapper(8306) Btrfs.cc(checkSnapshot):484 - CAUGHT: open failed path://.snapshots/297 errno:2 (No such file or d
irectory)
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(SystemCmd):48 - constructor SystemCmd: /usr/lib/snapper/plugins/10-sdbootutil.snapper
create-snapshot-pre / btrfs 297
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):180 - stopwatch 0.003636s for "/usr/lib/snapper/plugins/10-sdbootutil.snappe
r create-snapshot-pre / btrfs 297"
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):194 - system() Returns:0
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(SystemCmd):48 - constructor SystemCmd: /usr/lib/snapper/plugins/10-sdbootutil.snapper
create-snapshot / btrfs 297
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):180 - stopwatch 0.003688s for "/usr/lib/snapper/plugins/10-sdbootutil.snappe
r create-snapshot / btrfs 297"
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):194 - system() Returns:0
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(SystemCmd):48 - constructor SystemCmd: /usr/lib/snapper/plugins/10-sdbootutil.snapper
create-snapshot-post / btrfs 297
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(addLine):394 - Adding Line 1 "Error: No ESP detected. Legacy system?"
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(getUntilEOF):358 - pid:8539 added lines:1 stderr:true
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):180 - stopwatch 0.036122s for "/usr/lib/snapper/plugins/10-sdbootutil.snappe
r create-snapshot-post / btrfs 297"
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):194 - system() Returns:0
2024-10-07 21:47:18 MIL libsnapper(8306) Snapper.cc(~Snapper):142 - Snapper destructor
which shows no irregular errors (to me). The timestamps do not fit because I re-created the snapshot, but the logs are the same each time.
As of writing, I realized that recently I manually switched from AppArmor to SELinux and that could be the problem.
During creating the snapshot, there was a denied message in /var/log/audit/audit.log
showed that:
type=AVC msg=audit(1728309122.841:590): avc: denied { read } for pid=8820 comm="bootctl" name="mmcblk0p1" dev="devtmpfs" ino=343 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0
I think the problem is that sdbootutil
uses bootctl
to create new entries and that operation is blocked by SELinux. Now I wonder how to make a exception for that operation, or which SELinux boolean needs to be switched. Because if I search for “read” in SELinux booleans, it shows various options:
cdrecord_read_content (off , off) Allow cdrecord to read content
container_read_certs (off , off) Allow container to read certs
cvs_read_shadow (off , off) Allow cvs to read shadow
dbadm_read_user_files (off , off) Allow dbadm to read user files
exim_read_user_files (off , off) Allow exim to read user files
gssd_read_tmp (on , on) Allow gssd to read tmp
httpd_read_user_content (off , off) Allow httpd to read user content
logrotate_read_inside_containers (off , off) Allow logrotate to read inside containers
minidlna_read_generic_user_content (off , off) Allow minidlna to read generic user content
mozilla_read_content (off , off) Allow mozilla to read content
pcp_read_generic_logs (off , off) Allow pcp to read generic logs
racoon_read_shadow (off , off) Allow racoon to read shadow
saslauthd_read_shadow (off , off) Allow saslauthd to read shadow
tomcat_read_rpm_db (off , off) Allow tomcat to read rpm db
virt_qemu_ga_read_nonsecurity_files (off , off) Allow virt to qemu ga read nonsecurity files
virt_read_qemu_ga_data (off , off) Allow virt to read qemu ga data
webadm_read_user_files (off , off) Allow webadm to read user files
Sorry for the long post, and thank you in advance!