SUSE-RU-2025:03042-1: moderate: Recommended update for container-selinux
SLE-UPDATES
null at suse.de
Tue Sep 2 12:30:20 UTC 2025
# Recommended update for container-selinux
Announcement ID: SUSE-RU-2025:03042-1
Release Date: 2025-09-02T09:19:22Z
Rating: moderate
References:
* bsc#1207054
* bsc#1207077
* bsc#1221720
* bsc#1227442
* bsc#1248171
* bsc#1248201
Affected Products:
* SUSE Linux Enterprise Micro 5.5
An update that has six fixes can now be installed.
## Description:
This update for container-selinux fixes the following issues:
Update to version 2.236.0:
* Allow super privileged containers to use RealtimeKit for scheduling
* Add container_ro_file_t to the podman artifact store
Update to version 2.235.0:
* container_log{reader,writer}_t: allow watch file
* Enable aarch64 testing
* TMT: simplify podman tests
* feat: support /var/lib/crio
Update to version 2.234.2:
* TMT: enable epel idomatically
* Packit: switch back to fedora-all
* RPM: Bump Epoch to 4
* rpm: ship manpage
* Add proper labeling for RamaLama
* Packit: remove rhel / epel jobs
* packit: remove unused file
Update to version 2.233.0:
* container_engine_t: small change to allow non root exec in a container
* RPM: explicitly list ghosted paths and skip mode verification
* container-selinux install on non selinux-policy-targeted systems (#332)
* set container_log_t type for /var/log/kube-apiserver
* Allow kubelet_t to create a sock file kubelet_var_lib_t
* dontaudit spc_t to mmap_zero
* Packit: update targets (#330)
* container_engine_t: another round of small improvements (#327)
* Allow container_device_plugin_t to use the network (#325)
* RPM: cleanup changelog (#324)
* TMT: Simplify tests
Update to version 2.232.1:
* TMT: fix srpm download syntax on rawhide
* Packit: remove `update_release` key from downstream jobs (#313)
* Update container-selinux.8 man page
* Add ownership of /usr/share/udica (#312)
* Packit/TMT: upstream maintenance of downstream gating tests
* extend container_engine_t again
* Allow spc_t to use localectl
* Allow spc_t to use timedatectl
* introduce container_use_xserver_devices boolean to allow GPU access
Update to version 2.231.0:
* Allow container domains to communicate with spc_t unix_stream_sockets
* Move to %posttrans to ensure selinux-policy got updated before the commands
run (bsc#1221720)
* Rename all /var/run file context entries to /run
Update to version 2.230.0 (bsc#1248201):
* Move to tar_scm based packaging: added _service and _servicedata
* Allow containers to unmount file systems
* Add buildah as a container_runtime_exec_t label
* Additional rules for container_user_t
* improve container_engine_t
Update to version 2.228:
* Allow container domains to watch fifo_files
* container_engine_t: improve for podman in kubernetes case
* Allow spc_t to transition to install_t domain
* Default to allowing containers to use dri devices
* Allow access to BPF Filesystems
* Fix kubernetes transition rule
* Label kubensenter as well as kubenswrapper
* Allow container domains to execute container_runtime_tmpfs_t files
* Allow container domains to ptrace themselves
* Allow container domains to use container_runtime_tmpfs_t as an entrypoint
* Add boolean to allow containers to use dri devices
* Give containers access to pod resources endpoint
* Label kubenswrapper kubelet_exec_t
Update to version 2.222:
* Allow containers to read/write inherited dri devices
Update to version 2.221 (bsc#1248171):
* Allow containers to shutdown sockets inherited from container runtimes
* Allow spc_t to use execmod libraries on container file systems
* Add boolean to allow containers to read all cert files
* More MLS Policy allow rules
* Allow container runtimes using pasta bind icmp_socket to port_t
* Fix spc_t transitions from container_runtime_domain
Update to version 2.215.0:
* Add some MLS rules to policy
* Allow container runtime to dyntransition to spc_t
* Tighten controls on confined users
* Add labels for /var/lib/shared
* Cleanup entrypoint definitions
* Allow container_device_plugin_t access to debugfs
* Allow containers which use devices to map them
Update to version 2.211.0:
* Don't transition to initrc_t domains from spc_t
* Add tunable to allow sshd_t to launch container engines
* Allow syslogd_t gettatr on inheritited runtime tmpfs files
* Add container_file_t and container_ro_file_t as user_home_type
* Set default context for local-path-provisioner
* Allow daemon to send dbus messages to spc_t by
Update to version 2.206.0:
* Allow unconfined domains to transition to container_runtime_t
* Allow container domains to transition to install_t
* Allow avirt_sandbox_domain to manage container_file_t types
* Allow containers to watch sysfs_t directories
* Allow spc_t to transption to rpm_script_t
* Add support to new user_namespace access check
* Smaller permission changes for container_init_t
Update to version 2.198.0:
* Fix spc_t transition rules on tmpfs_t
Changes from 2.197.0:
* Add boolean containers_use_ecryptfs policy
Changes from 2.195.1:
* Readd missing allow rules for container_t
Changes from 2.194.0:
* Allow syslogd_t to use tmpfs files created by container runtime
Changes from 2.193.0:
* Allow containers to mount tmpfs_t file systems
* Label spc_t as a init initrc daemon
* Allow userdomains to run containers
Changes from 2.191.0:
* Create container_logwriter_t type
Changes from 2.190.1:
* Support BuildKit
* container.fc: Set label for kata-agent
* support nerdctl
Changes from 2.190.0:
* Packit: initial enablement
* Allow iptables to list directories labeled as container_file_t (bsc#1227442)
Changes from 2.189.0:
* Dont audit searching other processes in /proc.
* Allow privileged containers to use localectl (bsc#1207077)
* Allow privileged containers to use timedatectl (bsc#1207054)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2025-3042=1
## Package List:
* SUSE Linux Enterprise Micro 5.5 (noarch)
* container-selinux-2.236.0-150500.3.6.1
## References:
* https://bugzilla.suse.com/show_bug.cgi?id=1207054
* https://bugzilla.suse.com/show_bug.cgi?id=1207077
* https://bugzilla.suse.com/show_bug.cgi?id=1221720
* https://bugzilla.suse.com/show_bug.cgi?id=1227442
* https://bugzilla.suse.com/show_bug.cgi?id=1248171
* https://bugzilla.suse.com/show_bug.cgi?id=1248201
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250902/e379ec49/attachment.htm>
More information about the sle-updates
mailing list