Sdbootutil failed to create new entry for new snapshot, possibly due to SELinux

Hello folks. Recently I found that no new entries have been created for new snapshots, and /var/snapper/snapper.log seemed fine. Thus I come here to seek your help.

Currently # snapper list shows:

   # │ Type   │ Pre # │ Date                     │ User │ Used Space │ Cleanup │ Description           │ Userdata
─────┼────────┼───────┼──────────────────────────┼──────┼────────────┼─────────┼───────────────────────┼─────────
  0  │ single │       │                          │ root │            │         │ current               │
296* │ single │       │ Tue May  7 23:23:18 2024 │ root │   3.93 GiB │         │ writable copy of #294 │

and # sdbootutil list-snapshots shows:

296 writable copy of #294

and # sdbootutil list-entries shows:

opensuse-tumbleweed-6.11.0-1-default-296.conf

all of which are expected.

However, if I try to create a new snapshot by # snapper create, # snapper list now shows:

   # │ Type   │ Pre # │ Date                     │ User │ Used Space │ Cleanup │ Description           │ Userdata
─────┼────────┼───────┼──────────────────────────┼──────┼────────────┼─────────┼───────────────────────┼─────────
  0  │ single │       │                          │ root │            │         │ current               │
296* │ single │       │ Tue May  7 23:23:18 2024 │ root │  16.00 KiB │         │ writable copy of #294 │
297  │ single │       │ Mon Oct  7 21:40:13 2024 │ root │  16.00 KiB │         │                       │

and # sdbootutil list-snapshots shows:

296 writable copy of #294
!297 

Notice that ! at the start of the line. If I dig into sdbootutil tui interface, it shows


that the kernel is missing.

And no new entry is created, therefore # sdbootutil list-entries still shows

opensuse-tumbleweed-6.11.0-1-default-296.conf

During the snapshot creation, /var/log/snapper.log shows that

snapper.log
2024-10-07 21:46:48 WAR libsnapper(8306) FileUtils.cc(SDir):88 - THROW: open failed path://.snapshots/297 errno:2 (No such file or director
y)
2024-10-07 21:46:48 WAR libsnapper(8306) Btrfs.cc(checkSnapshot):484 - CAUGHT: open failed path://.snapshots/297 errno:2 (No such file or d
irectory)
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(SystemCmd):48 - constructor SystemCmd: /usr/lib/snapper/plugins/10-sdbootutil.snapper
create-snapshot-pre / btrfs 297
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):180 - stopwatch 0.003636s for "/usr/lib/snapper/plugins/10-sdbootutil.snappe
r create-snapshot-pre / btrfs 297"
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):194 - system() Returns:0
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(SystemCmd):48 - constructor SystemCmd: /usr/lib/snapper/plugins/10-sdbootutil.snapper
create-snapshot / btrfs 297
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):180 - stopwatch 0.003688s for "/usr/lib/snapper/plugins/10-sdbootutil.snappe
r create-snapshot / btrfs 297"
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):194 - system() Returns:0
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(SystemCmd):48 - constructor SystemCmd: /usr/lib/snapper/plugins/10-sdbootutil.snapper
create-snapshot-post / btrfs 297
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(addLine):394 - Adding Line 1 "Error: No ESP detected. Legacy system?"
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(getUntilEOF):358 - pid:8539 added lines:1 stderr:true
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):180 - stopwatch 0.036122s for "/usr/lib/snapper/plugins/10-sdbootutil.snappe
r create-snapshot-post / btrfs 297"
2024-10-07 21:46:48 MIL libsnapper(8306) SystemCmd.cc(execute):194 - system() Returns:0
2024-10-07 21:47:18 MIL libsnapper(8306) Snapper.cc(~Snapper):142 - Snapper destructor

which shows no irregular errors (to me). The timestamps do not fit because I re-created the snapshot, but the logs are the same each time.


As of writing, I realized that recently I manually switched from AppArmor to SELinux and that could be the problem.

During creating the snapshot, there was a denied message in /var/log/audit/audit.log showed that:

type=AVC msg=audit(1728309122.841:590): avc:  denied  { read } for  pid=8820 comm="bootctl" name="mmcblk0p1" dev="devtmpfs" ino=343 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0

I think the problem is that sdbootutil uses bootctl to create new entries and that operation is blocked by SELinux. Now I wonder how to make a exception for that operation, or which SELinux boolean needs to be switched. Because if I search for “read” in SELinux booleans, it shows various options:

cdrecord_read_content          (off  ,  off)  Allow cdrecord to read content
container_read_certs           (off  ,  off)  Allow container to read certs
cvs_read_shadow                (off  ,  off)  Allow cvs to read shadow
dbadm_read_user_files          (off  ,  off)  Allow dbadm to read user files
exim_read_user_files           (off  ,  off)  Allow exim to read user files
gssd_read_tmp                  (on   ,   on)  Allow gssd to read tmp
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
logrotate_read_inside_containers (off  ,  off)  Allow logrotate to read inside containers
minidlna_read_generic_user_content (off  ,  off)  Allow minidlna to read generic user content
mozilla_read_content           (off  ,  off)  Allow mozilla to read content
pcp_read_generic_logs          (off  ,  off)  Allow pcp to read generic logs
racoon_read_shadow             (off  ,  off)  Allow racoon to read shadow
saslauthd_read_shadow          (off  ,  off)  Allow saslauthd to read shadow
tomcat_read_rpm_db             (off  ,  off)  Allow tomcat to read rpm db
virt_qemu_ga_read_nonsecurity_files (off  ,  off)  Allow virt to qemu ga read nonsecurity files
virt_read_qemu_ga_data         (off  ,  off)  Allow virt to read qemu ga data
webadm_read_user_files         (off  ,  off)  Allow webadm to read user files

Sorry for the long post, and thank you in advance!

Now I’m not so sure. Since if I manually add kernel to snapshot 297 by using # sdbootutil add-all-kernels 297, it goes just fine and no denied message pops up in audit log.

Searching outside the forum led me to this bugzilla report labeled as FIXED:

https://bugzilla.suse.com/show_bug.cgi?id=1224120

which described a similar problem but showed { unlink } rather than { read } in audit log. According to the report, Request 1184840: Submit selinux-policy - openSUSE Build Service was supposed to fix the clash between snapper and SELinux.

And I just created a VM using the latest 20241006 snapshot, selecting systemd-boot as bootloader and SELinux in enforcing mode as MAC during installation. And entries can actually be created and deleted alongside the snapshots in this VM. I am now more confused.

So I just learned about audit2allow to explain audit log and it told me to

allow snapperd_t removable_device_t:blk_file read;

And it occurred to me that I’ve been using a Surface Go 3 with a 64 GB eMMC drive, which could be mistakenly considered as a removable device!

So, through trial and error, I finally figured out how to deal with my “removable device” rejected by SELinux. I need to allow getattr, ioctl, open and read permissions for snapperd_t on removable_device_t:blk_file, so here’s the generated snapper_emmc.te:


module snapper_emmc 1.0;

require {
	type snapperd_t;
	type removable_device_t;
	class blk_file { getattr ioctl open read };
}

#============= snapperd_t ==============

allow snapperd_t removable_device_t:blk_file { getattr ioctl open read };

And finally sdbootutil created entries for snapshots as intended.

I hope this finding useful to those who encountered similar problems as mine. And if possible, I hope selinux-policy could get updated as such in case the system is installed on a mmcblk device.

And I wish you all a good day. :slight_smile:

It would be even more useful if you opened bug report. Use component Security, add the complete AVC entry and steps to reproduce it.

Thank you for your suggestion. I filed a bug report at 1231354 – [SELinux] bootctl denied { getattr ioctl open read } on removable device if system was installed on eMMC drive

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.