SUSE-IU-2025:842-1: Recommended update of suse/sl-micro/6.0/baremetal-os-container

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Apr 4 07:16:38 UTC 2025 

SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:842-1
Image Tags        : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.7 , suse/sl-micro/6.0/baremetal-os-container:latest
Image Release     : 6.7
Severity          : moderate
Type              : recommended
References        : 1221720 
-----------------------------------------------------------------

The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 270
Released:    Thu Apr  3 09:50:34 2025
Summary:     Recommended update for container-selinux
Type:        recommended
Severity:    moderate
References:  1221720
This update for container-selinux fixes the following issues:

- Update to version 2.236.0:

  * Allow super privileged containers to use RealtimeKit for scheduling
  * Add container_ro_file_t to the podman artifact store

- Update to version 2.235.0:

  * Bump to v2.235.0
  * container_log{reader,writer}_t: allow watch file
  * RPM: Update gating config
  * Enable aarch64 testing
  * TMT: simplify podman tests
  * feat: support /var/lib/crio

- Update to version 2.234.2:

  * TMT: enable epel idomatically
  * Packit: switch back to fedora-all
  * RPM: Bump Epoch to 4
  * rpm: ship manpage
  * Add proper labeling for RamaLama
  * Packit: remove rhel / epel jobs
  * packit: remove unused file

- Add BuildRequires selinux-policy-%{selinuxtype} to enable building
  for SLFO. Might be removed in the future again when 1231252
  is fixed.

- Update to version 2.233.0:

  * container_engine_t: small change to allow non root exec in a container
  * RPM: explicitly list ghosted paths and skip mode verification
  * container-selinux install on non selinux-policy-targeted systems (#332)
  * set container_log_t type for /var/log/kube-apiserver
  * Allow kubelet_t to create a sock file kubelet_var_lib_t
  * dontaudit spc_t to mmap_zero
  * Packit: update targets (#330)
  * container_engine_t: another round of small improvements (#327)
  * Allow container_device_plugin_t to use the network (#325)
  * RPM: cleanup changelog (#324)
  * TMT: Simplify tests

- Update to version 2.232.1:

  * Bump to v2.232.1
  * TMT: fix srpm download syntax on rawhide
  * Bump to 2.232.0
  * Packit: remove `update_release` key from downstream jobs (#313)
  * Update container-selinux.8 man page
  * Add ownership of /usr/share/udica (#312)
  * Packit/TMT: upstream maintenance of downstream gating tests
  * extend container_engine_t again
  * Allow spc_t to use localectl
  * Allow spc_t to use timedatectl
  * introduce container_use_xserver_devices boolean to allow GPU access

- Update to version 2.231.0:

  * Allow container domains to communicate with spc_t unix_stream_sockets
  * Move to %posttrans to ensure selinux-policy got updated before
    the commands run (bsc#1221720)

- Manual update to version 2.230.0+git4.a8e389d to include this 
  commit that is needed for the main selinux-policy update to work:

  * Rename all /var/run file context entries to /run

- Update to version 2.230.0:

  * Move to tar_scm based packaging: added _service and _servicedata
  * Allow containers to unmount file systems
  * Add buildah as a container_runtime_exec_t label
  * Additional rules for container_user_t
  * improve container_engine_t

- Update to version 2.228:

  * Allow container domains to watch fifo_files
  * container_engine_t: improve for podman in kubernetes case
  * Allow spc_t to transition to install_t domain
  * Default to allowing containers to use dri devices
  * Allow access to BPF Filesystems
  * Fix kubernetes transition rule
  * Label kubensenter as well as kubenswrapper
  * Allow container domains to execute container_runtime_tmpfs_t files
  * Allow container domains to ptrace themselves
  * Allow container domains to use container_runtime_tmpfs_t as an entrypoint
  * Add boolean to allow containers to use dri devices
  * Give containers access to pod resources endpoint
  * Label kubenswrapper kubelet_exec_t

- Update to version 2.222:

  * Allow containers to read/write inherited dri devices

- Update to version 2.221:

  * Allow containers to shutdown sockets inherited from container
    runtimes
  * Allow spc_t to use execmod libraries on container file systems
  * Add boolean to allow containers to read all cert files
  * More MLS Policy allow rules
  * Allow container runtimes using pasta bind icmp_socket to port_t
  * Fix spc_t transitions from container_runtime_domain

- Update to version 2.215.0:

  * Add some MLS rules to policy
  * Allow container runtime to dyntransition to spc_t
  * Tighten controls on confined users
  * Add labels for /var/lib/shared
  * Cleanup entrypoint definitions
  * Allow container_device_plugin_t access to debugfs
  * Allow containers which use devices to map them



The following package changes have been done:

- container-selinux-2.236.0-1.1 updated

More information about the sle-container-updates mailing list