SUSE-RU-2025:21003-1: critical: Recommended update for selinux-policy
SLE-UPDATES
null at suse.de
Wed Nov 26 20:31:41 UTC 2025
# Recommended update for selinux-policy
Announcement ID: SUSE-RU-2025:21003-1
Release Date: 2025-11-17T15:06:01Z
Rating: critical
References:
* bsc#1205770
* bsc#1229587
* bsc#1232226
* bsc#1235731
* bsc#1238137
* bsc#1240883
* bsc#1242998
* bsc#1244573
* bsc#1245470
* bsc#1247875
* bsc#1249052
* bsc#1249370
* bsc#1249435
* bsc#1250661
* bsc#1250696
* bsc#1250974
* bsc#1251227
* bsc#1251793
* bsc#1251862
* bsc#1251923
* bsc#1251952
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP Applications 16.0
An update that has 21 fixes can now be installed.
## Description:
This update for selinux-policy fixes the following issues:
Changes in selinux-policy:
Update to version 20250627+git239.fcbf2d509:
* fail2ban: bump module version
* fail2ban: allow fail2ban to watch all log files and dirs (bsc#1251952)
* fail2ban: fix typos in interface descriptions
* fail2ban: tweak file context regex for /run/fail2ban
* fail2ban: drop file context for old rc.d file
* Allow wicket to manage its proc directories (bsc#1235731)
* Allow NM to manage wicked pid files (bsc#1235731)
* Allow NM to reach systemd unit files (bsc#1235731)
* Make wicked script backwards compatible (bsc#1251923)
* Allow snapper grub plugin to domtrans to bootloader_t (bsc#1251862)
* Allow salt_t transition to rpm_script_t (bsc#1250696)
* grub snapper plugin is now named 00-grub (bsc#1251793)
* Assign alts_exec_t exec_file attribute (bsc#1250974)
* Add equivalency between /srv/tomcat and /var/lib/tomcat (bsc#1251227)
* Allow sshd_session_t write to wtmpdb
* Support /usr/libexec/ssh as well as openssh folder
* Set xenstored_use_store_type_domain boolean true(bsc#1247875)
* Adjust guest and xguest users policy for sshd-session
* Allow valkey-server create and use netlink_rdma_socket
* Allow blueman get attributes of filesystems with extended attributes
* Update files_search_base_file_types()
* Introduce unconfined wicked_script_t (bsc#1205770, bsc#1250661)
* Allow geoclue get attributes of the /dev/shm filesystem
* Allow apcupsd get attributes of the /dev/shm filesystem
* Allow sshd-session read cockpit pid files
* Add /opt/.snapshots to the snapper file context (bsc#1232226)
* Allow nfs generator create and use netlink sockets
* Conditionally allow virt guests to read certificates in user home
directories
* xenstored_t needs CAP_SYS_ADMIN for XENSTORETYPE=domain (bsc#1247875)
* Allow nfs-generator create and use udp sockets
* Allow kdump search kdumpctl_tmp_t directories
* Allow init open and read user tmp files
* Fix the systemd_logind_stream_connect() interface
* Allow staff and sysadm execute iotop using sudo
* Allow sudodomains connect to systemd-logind over a unix socket
* /boot/efi is dosfs_t and kdump needs to access it (bsc#1249370)
* Add default contexts for sshd-seesion
* Define types for new openssh executables
* Fix systemd_manage_unit_symlinks() interface definition
* Support coreos installation methods
* Add a new type for systemd-ssh-issue PID files
* Allow gnome-remote-desktop connect to unreserved ports
* Zypper moves files in /var/tmp to /var/cache (bsc#1249052, bsc#1249435)
* Allow mdadm the CAP_SYS_PTRACE capability
* Allow iptables manage its private fifo_files in /tmp
* Allow auditd manage its private run dirs
* Revert "Allow virt_domain write to virt_image_t files"
* Allow gdm create /etc/.pwd.lock with a file transition
* Allow gdm bind a socket in the /run/systemd/userdbd directory
* Allow nsswitch_domain connect to xdm over a unix domain socket
* Allow systemd homed getattr all tmpfs files (bsc#1240883)
* Allow systemd (PID 1) create lastlog entries
* Allow systemd_homework_t transition pid files to lvm_var_run_t (bsc#1240883)
* Allow gnome-remote-desktop speak with tabrmd over dbus (bsc#1244573)
* Allow nm-dispatcher iscsi and sendmail plugins get pidfs attributes
* Allow systemd-oomd watch tmpfs dirs
* Allow chronyc the setgid and setuid capabilities
* Label /usr/lib/systemd/systemd-ssh-issue with systemd_ssh_issue_exec_t
* Allow stalld map sysfs files
* Allow NetworkManager-dispatcher-winbind get pidfs attributes
* Allow openvpn create and use generic netlink socket
* policy_capabilities: remove estimated from released versions
* policy_capabilities: add stub for userspace_initial_context
* add netlink_xperm policy capability and nlmsg permission definitions
* policy_capabilities: add ioctl_skip_cloexec
* selinux-policy: add allow rule for tuned_ppd_t
* selinux-policy: add allow rule for switcheroo_control_t
* Label /run/audit with auditd_var_run_t
* Allow virtqemud start a vm which uses nbdkit
* Add nbdkit_signal() and nbdkit_signull() interfaces
* Fix insights_client interfaces names
* Add insights_core and insights_client interfaces
* Fix selinux-autorelabel-generator label after upstream changes
* Revert "Remove the mysql module sources"
* Revert "Allow rasdaemon write access to sysfs (bsc#1229587)"
* Reset postfix.fc to upstream, add alias instead
* dist/targeted/modules.conf: enable slrnpull module
* Allow bootupd delete symlinks in the /boot directory
* Allow systemd-coredumpd capabilities in the user namespace
* Allow openvswitch read virtqemud process state
* Allow systemd-networkd to create leases directory
* Apply generator template to selinux-autorelabel generator
* Support virtqemud handle hotplug hostdev devices
* Allow virtstoraged create qemu /var/run files
* Allow unconfined_domain_type cap2_userns capabilities
* Label /usr/libexec/postfix/tlsproxy with postfix_smtp_exec_t
* Remove the mysql module sources
* dist/targeted/modules.conf: Enable kmscon module (bsc#1238137)
* Update kmscon policy module to kmscon version 9 (bsc#1238137)
* Allow login to getattr pidfs
* Allow systemd to map files under /sys
* systemd: drop duplicate init_nnp_daemon_domain lines
* Fix typo
* Allow logwatch stream connect to opensmtpd
* Allow geoclue read NetworkManager pid files
* Allow unconfined user a file transition for creating sudo log directory
* Allow virtqemud read/write inherited dri devices
* Allow xdm_t create user namespaces
* Update policy for login_userdomain
* Add ppd_base_profile to file transition to get tuned_rw_etc_t type
* Update policy for bootupd
* Allow logwatch work with opensmtpd
* Update dovecot policy for dovecot 2.4.1
* Allow ras-mc-ctl write to sysfs files
* Allow anaconda-generator get attributes of all filesystems
* Add the rhcd_rw_fifo_files() interface
* Allow systemd-coredump the sys_chroot capability
* Allow hostapd write to socket files in /tmp
* Recognize /var/home as an alternate path for /home
* Label /var/lib/lastlog with lastlog_t
* Allow virtqemud write to sysfs files
* Allow irqbalance search sssd lib directories
* Allow samba-dcerpcd send sigkills to passwd
* Allow systemd-oomd watch dbus pid sock files
* Allow some confined users read and map generic log files
* Allow login_userdomain watch the /run/log/journal directory
* Allow login_userdomain dbus chat with tuned-ppd
* Allow login_userdomain dbus chat with switcheroo-control
* Allow userdomain to connect to systemd-oomd over a unix socket
* Add insights_client_delete_lib_dirs() interface
* Allow virtqemud_t use its private tmpfs files (bsc#1242998)
* Allow virtqemud_t setattr to /dev/userfaultfd (bsc#1242998)
* Allow virtqemud_t read and write /dev/ptmx (bsc#1242998)
* Extend virtqemud_t tcp_socket permissions (bsc#1242998)
* Allow virtqemud_t to read and write generic pty (bsc#1242998)
* Allow systemd-importd create and unlink init pid socket
* Allow virtqemud handle virt_content_t chr files
* Allow svirt read virtqemud fifo files
* All sblim-sfcbd the dac_read_search capability
* Allow sblim domain read systemd session files
* Allow sblim-sfcbd execute dnsdomainname
* Confine nfs-server generator
* Allow systemd-timedated start/stop timemaster services
* Allow "hostapd_cli ping" run as a systemd service
* Allow power-profiles-daemon get attributes of filesystems with extended
attributes
* Allow 'oomctl dump' to interact with systemd-oomd
* Basic functionality for systemd-oomd
* Basic enablement for systemd-oomd
* Allow samba-bgqd send to smbd over a unix datagram socket
* Update kernel_secretmem_use()
* Add the file/watch_mountns permission
* Update systemd-generators policy
* Allow plymouthd_t read proc files of systemd_passwd_agent (bsc#1245470)
* Allow insights-client file transition for files in /var/tmp
* Allow tuned-ppd manage tuned log files
* Allow systemd-coredump mount on tmpfs filesystems
* Update sssd_dontaudit_read_public_files()
* Allow zram-generator raw read fixed disk device
* Add fs_write_cgroup_dirs() and fs_setattr_cgroup_dirs() interfaces
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-20=1
* SUSE Linux Enterprise Server for SAP Applications 16.0
zypper in -t patch SUSE-SLES-16.0-20=1
## Package List:
* SUSE Linux Enterprise Server 16.0 (noarch)
* selinux-policy-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-sandbox-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-devel-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-doc-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-minimum-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-targeted-20250627+git239.fcbf2d509-160000.1.1
* SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
* selinux-policy-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-sandbox-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-devel-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-doc-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-minimum-20250627+git239.fcbf2d509-160000.1.1
* selinux-policy-targeted-20250627+git239.fcbf2d509-160000.1.1
## References:
* https://bugzilla.suse.com/show_bug.cgi?id=1205770
* https://bugzilla.suse.com/show_bug.cgi?id=1229587
* https://bugzilla.suse.com/show_bug.cgi?id=1232226
* https://bugzilla.suse.com/show_bug.cgi?id=1235731
* https://bugzilla.suse.com/show_bug.cgi?id=1238137
* https://bugzilla.suse.com/show_bug.cgi?id=1240883
* https://bugzilla.suse.com/show_bug.cgi?id=1242998
* https://bugzilla.suse.com/show_bug.cgi?id=1244573
* https://bugzilla.suse.com/show_bug.cgi?id=1245470
* https://bugzilla.suse.com/show_bug.cgi?id=1247875
* https://bugzilla.suse.com/show_bug.cgi?id=1249052
* https://bugzilla.suse.com/show_bug.cgi?id=1249370
* https://bugzilla.suse.com/show_bug.cgi?id=1249435
* https://bugzilla.suse.com/show_bug.cgi?id=1250661
* https://bugzilla.suse.com/show_bug.cgi?id=1250696
* https://bugzilla.suse.com/show_bug.cgi?id=1250974
* https://bugzilla.suse.com/show_bug.cgi?id=1251227
* https://bugzilla.suse.com/show_bug.cgi?id=1251793
* https://bugzilla.suse.com/show_bug.cgi?id=1251862
* https://bugzilla.suse.com/show_bug.cgi?id=1251923
* https://bugzilla.suse.com/show_bug.cgi?id=1251952
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20251126/d6bacbe6/attachment.htm>
More information about the sle-updates
mailing list