SUSE-RU-2025:03042-1: moderate: Recommended update for container-selinux

SLE-UPDATES null at suse.de
Tue Sep 2 12:30:20 UTC 2025 


# Recommended update for container-selinux

Announcement ID: SUSE-RU-2025:03042-1  
Release Date: 2025-09-02T09:19:22Z  
Rating: moderate  
References:

  * bsc#1207054
  * bsc#1207077
  * bsc#1221720
  * bsc#1227442
  * bsc#1248171
  * bsc#1248201

  
Affected Products:

  * SUSE Linux Enterprise Micro 5.5

  
  
An update that has six fixes can now be installed.

## Description:

This update for container-selinux fixes the following issues:

Update to version 2.236.0:

  * Allow super privileged containers to use RealtimeKit for scheduling
  * Add container_ro_file_t to the podman artifact store

Update to version 2.235.0:

  * container_log{reader,writer}_t: allow watch file
  * Enable aarch64 testing
  * TMT: simplify podman tests
  * feat: support /var/lib/crio

Update to version 2.234.2:

  * TMT: enable epel idomatically
  * Packit: switch back to fedora-all
  * RPM: Bump Epoch to 4
  * rpm: ship manpage
  * Add proper labeling for RamaLama
  * Packit: remove rhel / epel jobs
  * packit: remove unused file

Update to version 2.233.0:

  * container_engine_t: small change to allow non root exec in a container
  * RPM: explicitly list ghosted paths and skip mode verification
  * container-selinux install on non selinux-policy-targeted systems (#332)
  * set container_log_t type for /var/log/kube-apiserver
  * Allow kubelet_t to create a sock file kubelet_var_lib_t
  * dontaudit spc_t to mmap_zero
  * Packit: update targets (#330)
  * container_engine_t: another round of small improvements (#327)
  * Allow container_device_plugin_t to use the network (#325)
  * RPM: cleanup changelog (#324)
  * TMT: Simplify tests

Update to version 2.232.1:

  * TMT: fix srpm download syntax on rawhide
  * Packit: remove `update_release` key from downstream jobs (#313)
  * Update container-selinux.8 man page
  * Add ownership of /usr/share/udica (#312)
  * Packit/TMT: upstream maintenance of downstream gating tests
  * extend container_engine_t again
  * Allow spc_t to use localectl
  * Allow spc_t to use timedatectl
  * introduce container_use_xserver_devices boolean to allow GPU access

Update to version 2.231.0:

  * Allow container domains to communicate with spc_t unix_stream_sockets
  * Move to %posttrans to ensure selinux-policy got updated before the commands
    run (bsc#1221720)

  * Rename all /var/run file context entries to /run

Update to version 2.230.0 (bsc#1248201):

  * Move to tar_scm based packaging: added _service and _servicedata
  * Allow containers to unmount file systems
  * Add buildah as a container_runtime_exec_t label
  * Additional rules for container_user_t
  * improve container_engine_t

Update to version 2.228:

  * Allow container domains to watch fifo_files
  * container_engine_t: improve for podman in kubernetes case
  * Allow spc_t to transition to install_t domain
  * Default to allowing containers to use dri devices
  * Allow access to BPF Filesystems
  * Fix kubernetes transition rule
  * Label kubensenter as well as kubenswrapper
  * Allow container domains to execute container_runtime_tmpfs_t files
  * Allow container domains to ptrace themselves
  * Allow container domains to use container_runtime_tmpfs_t as an entrypoint
  * Add boolean to allow containers to use dri devices
  * Give containers access to pod resources endpoint
  * Label kubenswrapper kubelet_exec_t

Update to version 2.222:

  * Allow containers to read/write inherited dri devices

Update to version 2.221 (bsc#1248171):

  * Allow containers to shutdown sockets inherited from container runtimes
  * Allow spc_t to use execmod libraries on container file systems
  * Add boolean to allow containers to read all cert files
  * More MLS Policy allow rules
  * Allow container runtimes using pasta bind icmp_socket to port_t
  * Fix spc_t transitions from container_runtime_domain

Update to version 2.215.0:

  * Add some MLS rules to policy
  * Allow container runtime to dyntransition to spc_t
  * Tighten controls on confined users
  * Add labels for /var/lib/shared
  * Cleanup entrypoint definitions
  * Allow container_device_plugin_t access to debugfs
  * Allow containers which use devices to map them

Update to version 2.211.0:

  * Don't transition to initrc_t domains from spc_t
  * Add tunable to allow sshd_t to launch container engines
  * Allow syslogd_t gettatr on inheritited runtime tmpfs files
  * Add container_file_t and container_ro_file_t as user_home_type
  * Set default context for local-path-provisioner
  * Allow daemon to send dbus messages to spc_t by

Update to version 2.206.0:

  * Allow unconfined domains to transition to container_runtime_t
  * Allow container domains to transition to install_t
  * Allow avirt_sandbox_domain to manage container_file_t types
  * Allow containers to watch sysfs_t directories
  * Allow spc_t to transption to rpm_script_t
  * Add support to new user_namespace access check
  * Smaller permission changes for container_init_t

Update to version 2.198.0:

  * Fix spc_t transition rules on tmpfs_t

Changes from 2.197.0:

  * Add boolean containers_use_ecryptfs policy

Changes from 2.195.1:

  * Readd missing allow rules for container_t

Changes from 2.194.0:

  * Allow syslogd_t to use tmpfs files created by container runtime

Changes from 2.193.0:

  * Allow containers to mount tmpfs_t file systems
  * Label spc_t as a init initrc daemon
  * Allow userdomains to run containers

Changes from 2.191.0:

  * Create container_logwriter_t type

Changes from 2.190.1:

  * Support BuildKit
  * container.fc: Set label for kata-agent
  * support nerdctl

Changes from 2.190.0:

  * Packit: initial enablement
  * Allow iptables to list directories labeled as container_file_t (bsc#1227442)

Changes from 2.189.0:

  * Dont audit searching other processes in /proc.

  * Allow privileged containers to use localectl (bsc#1207077)

  * Allow privileged containers to use timedatectl (bsc#1207054)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise Micro 5.5  
    zypper in -t patch SUSE-SLE-Micro-5.5-2025-3042=1

## Package List:

  * SUSE Linux Enterprise Micro 5.5 (noarch)
    * container-selinux-2.236.0-150500.3.6.1

## References:

  * https://bugzilla.suse.com/show_bug.cgi?id=1207054
  * https://bugzilla.suse.com/show_bug.cgi?id=1207077
  * https://bugzilla.suse.com/show_bug.cgi?id=1221720
  * https://bugzilla.suse.com/show_bug.cgi?id=1227442
  * https://bugzilla.suse.com/show_bug.cgi?id=1248171
  * https://bugzilla.suse.com/show_bug.cgi?id=1248201

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250902/e379ec49/attachment.htm>

More information about the sle-updates mailing list