SUSE-RU-2026:20113-1: critical: Recommended update for selinux-policy
SLE-UPDATES
null at suse.de
Fri Jan 23 08:30:43 UTC 2026
# Recommended update for selinux-policy
Announcement ID: SUSE-RU-2026:20113-1
Release Date: 2026-01-19T14:45:38Z
Rating: critical
References:
* bsc#1231354
* bsc#1233358
* bsc#1241964
* bsc#1244459
* bsc#1244573
* bsc#1246080
* bsc#1246559
* bsc#1251789
* bsc#1251931
* bsc#1252095
* bsc#1252431
* bsc#1252992
* bsc#1252993
* bsc#1253098
* bsc#1253389
* bsc#1254395
* bsc#1254889
* bsc#1255024
Affected Products:
* SUSE Linux Micro 6.2
An update that has 18 fixes can now be installed.
## Description:
This update for selinux-policy fixes the following issues:
Changes in selinux-policy:
Update to version 20250627+git345.3965b24b0:
* Allow 'mysql-systemd-helper upgrade' to work correctly (bsc#1255024)
Update to version 20250627+git343.b66ec7135:
* Allow snapper_tu_etc_plugin_t to connect to machined varlink socket
(bsc#1254889)
Update to version 20250627+git341.4beeb2d65:
* Allow virtlogd_t dac_override (bsc#1253389)
* Introduce systemd_cryptsetup_generator_var_run_t file type (bsc#1244459)
* Allow virtqemud_t to read/write device_t (bsc#1251789)
* update support for polkit agent helper (bsc#1251931)
* Allow system_mail_t read apache system content conditionally
* Allow login_userdomain read lastlog
* Allow sshd-net read and write to sshd vsock socket
* Update ktls policy
* Add comprehensive SELinux policy module for bwrap thumbnail generation
* Revert "Allow thumb_t create permission in the user namespace"
* Allow systemd-machined read svirt process state
* Allow sshd_auth_t getopt/setopt on tcp_socket (bsc#1252992)
* Allow sysadm access to TPM
* Allow tlp get the attributes of the pidfs filesystem
* Allow kmscon to read netlink_kobject_uevent_socket
* Allow systemd-ssh-issue read kernel sysctls
* fix: bz2279215 Allow speech-dispatcher access to user home/cache files
* Allow create kerberos files in postgresql db home
* Fix files_delete_boot_symlinks() to contain delete_lnk_files_pattern
* Allow shell comamnds in locate systemd service (bsc#1246559)
* Introduce initrc_nnp_daemon_domain interface
* Label /var/lib/cosmic-greeter with xdm_var_lib_t
* Allow setroubleshoot-fixit get attributes of xattr fs
* Allow insights-client manage /etc symlinks
* Allow insights-client get attributes of the rpm executable
* Allow nfsidmapd search virt lib directories
* Allow iotop stream connect to systemd-userdbd
* Allow snapper_sdbootutil_plugin_t manage unlabeled_t files,dirs,symlinks
(bsc#1252993)
* Allow gnome-remote-desktop read sssd public files
* Allow thumb_t stream connect to systemd-userdbd
* Add auth_nnp_domtrans_chkpwd()
* Allow sshd_auth_t getopt/setopt on tcp_socket (bsc#1252992)
* Allow bluez dbus API passing unix domain sockets
* Allow bluez dbus api pass sockets over dbus
* Dontaudit systemd-generator connect to sssd over a unix stream socket
* Allow init watch/watch_reads systemd-machined user ptys
* Introduce sap_service_transition_to_unconfined_user boolean
* allow init to read sap symlinks
* Allow SAP domain to relocation text in all files
* Fix macros.selinux-policy to allow changing booleans when policy is not
loaded. Previous logic was broken (bsc#1254395)
Update to version 20250627+git293.3432d4834:
* Allow pcscd_t to search cgroup (bsc#1253098)
* Fix syntax error in userdomain.if
* Allow nnp_transition for OpenSMTPD (bsc#1252431)
* Allow ras-mc-ctl get attributes of the kmod executable
* Define file equivalency for /var/opt
* Allow virtnodedev_t the perfmon capability
* Allow nut_upsdrvctl_t the sys_ptrace capability
* Label /usr/lib/systemd/user/graphical-session-pre.target with
xdm_unit_file_t
* Allow snapper sdbootutil plugin read emmc devices (bsc#1231354)
* Allow pcrlock to delete pid entries
* Allow systemd_pcrlock_t to manage its pid files
* Mark snapper_sdbootutil_plugin_t as permissive
* Drop unnamed filetrans, should be done upstream (bsc#1241964)
* Label pcrlock pid file correctly (bsc#1241964)
* Allow snapper sdbootutil plugin send msg to system bus (bsc#1241964)
* snapper takes output from stdout/err, allow pcrlock to write
* Add tpm2_getcap permissions to snapper sdbootutil (bsc#1244573)
* Allow snapper sdbootutil plugin to read snapper data and conf
* Allow snapper sdbootutil plugin to grep /proc/stat (bsc#1241964)
* Replace snapper tmp file access for pcrlock (bsc#1241964)
* Allow snapper sdbootutil read kernel module dirs (bsc#1241964)
* Allow snapper sdbootutil plugin use bootctl (bsc#1241964)
* Allow snapper sdbootutil plugin to list and read sysfs (bsc#1241964)
* Allow snapper sdbootutil sys_admin (bsc#1241964)
* Allow snapper sdbootutils plugin to findmnt (bsc#1241964)
* Allow snapper sdbootutil plugin rw tpm (bsc#1233358)
* Move manage dos permissions and dontaudit execmem to snapper sdbootutils
plugin (bsc#1241964)
* Move snapper domtrans to sdbootutil to plugin (bsc#1241964)
* Revert snapper access to keys, move to sdbootutils plugin policy
(bsc#1241964)
* Add initial seperate policy for sdbootutil called by snapper (bsc#1233358)
* Allow sort in snapper_grub_plugin_t read cpu.max (bsc#1252095)
* systemd-sysctl: allow rw on binfm_misc_fs_t to set binfmt_misc status
* Allow cupsd to manage cupsd_rw_etc_t lnk_files
* Set temporary no-stub resolv.conf file from NetworkManager as net_conf_t
* Allow spamc read aliases file
* Mark configfs_t as mountpoint (bsc#1246080)
* Allow systemd-machined watch cgroup files
* Allow sshd-auth read generic proc files
* Allow sshd-auth read and write user domain ptys
* Allow logwatch read and write sendmail unix stream sockets
* Allow logwatch domain transition on rpm execution
* Allow thumb_t mounton its private tmpfs files
* Allow thumb_t create permission in the user namespace
* Allow corenet_unconfined_type name_bind to icmp_socket
* Allow systemd-networkd to manage systemd_networkd_var_lib_t files
* Allow sshd-session get attributes of sshd vsock socket
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.2
zypper in -t patch SUSE-SL-Micro-6.2-154=1
## Package List:
* SUSE Linux Micro 6.2 (noarch)
* selinux-policy-20250627+git345.3965b24b0-160000.1.1
* selinux-policy-devel-20250627+git345.3965b24b0-160000.1.1
* selinux-policy-minimum-20250627+git345.3965b24b0-160000.1.1
* selinux-policy-targeted-20250627+git345.3965b24b0-160000.1.1
## References:
* https://bugzilla.suse.com/show_bug.cgi?id=1231354
* https://bugzilla.suse.com/show_bug.cgi?id=1233358
* https://bugzilla.suse.com/show_bug.cgi?id=1241964
* https://bugzilla.suse.com/show_bug.cgi?id=1244459
* https://bugzilla.suse.com/show_bug.cgi?id=1244573
* https://bugzilla.suse.com/show_bug.cgi?id=1246080
* https://bugzilla.suse.com/show_bug.cgi?id=1246559
* https://bugzilla.suse.com/show_bug.cgi?id=1251789
* https://bugzilla.suse.com/show_bug.cgi?id=1251931
* https://bugzilla.suse.com/show_bug.cgi?id=1252095
* https://bugzilla.suse.com/show_bug.cgi?id=1252431
* https://bugzilla.suse.com/show_bug.cgi?id=1252992
* https://bugzilla.suse.com/show_bug.cgi?id=1252993
* https://bugzilla.suse.com/show_bug.cgi?id=1253098
* https://bugzilla.suse.com/show_bug.cgi?id=1253389
* https://bugzilla.suse.com/show_bug.cgi?id=1254395
* https://bugzilla.suse.com/show_bug.cgi?id=1254889
* https://bugzilla.suse.com/show_bug.cgi?id=1255024
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260123/ef7fc42d/attachment.htm>
More information about the sle-updates
mailing list