<div class="container">
<h1>Recommended update for container-selinux</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2025:1181-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-04-09T07:30:57Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1207054">bsc#1207054</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1207077">bsc#1207077</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221720">bsc#1221720</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Micro 5.4</li>
<li class="list-group-item">SUSE Linux Enterprise Micro for Rancher 5.4</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that has three fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for container-selinux fixes the following issues:</p>
<ul>
<li>
<p>Update to version 2.236.0:</p>
</li>
<li>
<p>Allow super privileged containers to use RealtimeKit for scheduling</p>
</li>
<li>
<p>Add container_ro_file_t to the podman artifact store</p>
</li>
<li>
<p>Update to version 2.235.0:</p>
</li>
<li>
<p>Bump to v2.235.0</p>
</li>
<li>container_log{reader,writer}_t: allow watch file</li>
<li>RPM: Update gating config</li>
<li>Enable aarch64 testing</li>
<li>TMT: simplify podman tests</li>
<li>
<p>feat: support /var/lib/crio</p>
</li>
<li>
<p>Update to version 2.234.2:</p>
</li>
<li>
<p>TMT: enable epel idomatically</p>
</li>
<li>Packit: switch back to fedora-all</li>
<li>RPM: Bump Epoch to 4</li>
<li>rpm: ship manpage</li>
<li>Add proper labeling for RamaLama</li>
<li>Packit: remove rhel / epel jobs</li>
<li>
<p>packit: remove unused file</p>
</li>
<li>
<p>Update to version 2.233.0:</p>
</li>
<li>
<p>container_engine_t: small change to allow non root exec in a container</p>
</li>
<li>RPM: explicitly list ghosted paths and skip mode verification</li>
<li>container-selinux install on non selinux-policy-targeted systems (#332)</li>
<li>set container_log_t type for /var/log/kube-apiserver</li>
<li>Allow kubelet_t to create a sock file kubelet_var_lib_t</li>
<li>dontaudit spc_t to mmap_zero</li>
<li>Packit: update targets (#330)</li>
<li>container_engine_t: another round of small improvements (#327)</li>
<li>Allow container_device_plugin_t to use the network (#325)</li>
<li>RPM: cleanup changelog (#324)</li>
<li>
<p>TMT: Simplify tests</p>
</li>
<li>
<p>Update to version 2.232.1:</p>
</li>
<li>
<p>TMT: fix srpm download syntax on rawhide</p>
</li>
<li>Packit: remove <code>update_release</code> key from downstream jobs (#313)</li>
<li>Update container-selinux.8 man page</li>
<li>Add ownership of /usr/share/udica (#312)</li>
<li>Packit/TMT: upstream maintenance of downstream gating tests</li>
<li>extend container_engine_t again</li>
<li>Allow spc_t to use localectl</li>
<li>Allow spc_t to use timedatectl</li>
<li>
<p>introduce container_use_xserver_devices boolean to allow GPU access</p>
</li>
<li>
<p>Update to version 2.231.0:</p>
</li>
<li>
<p>Allow container domains to communicate with spc_t unix_stream_sockets</p>
</li>
<li>
<p>Move to %posttrans to ensure selinux-policy got updated before
the commands run (bsc#1221720)</p>
</li>
<li>
<p>Manual update to version 2.230.0+git4.a8e389d to include this
commit that is needed for the main selinux-policy update to work:</p>
</li>
<li>
<p>Rename all /var/run file context entries to /run</p>
</li>
<li>
<p>Update to version 2.230.0:</p>
</li>
<li>
<p>Move to tar_scm based packaging: added _service and _servicedata</p>
</li>
<li>Allow containers to unmount file systems</li>
<li>Add buildah as a container_runtime_exec_t label</li>
<li>Additional rules for container_user_t</li>
<li>
<p>improve container_engine_t</p>
</li>
<li>
<p>Update to version 2.228:</p>
</li>
<li>
<p>Allow container domains to watch fifo_files</p>
</li>
<li>container_engine_t: improve for podman in kubernetes case</li>
<li>Allow spc_t to transition to install_t domain</li>
<li>Default to allowing containers to use dri devices</li>
<li>Allow access to BPF Filesystems</li>
<li>Fix kubernetes transition rule</li>
<li>Label kubensenter as well as kubenswrapper</li>
<li>Allow container domains to execute container_runtime_tmpfs_t files</li>
<li>Allow container domains to ptrace themselves</li>
<li>Allow container domains to use container_runtime_tmpfs_t as an entrypoint</li>
<li>Add boolean to allow containers to use dri devices</li>
<li>Give containers access to pod resources endpoint</li>
<li>
<p>Label kubenswrapper kubelet_exec_t</p>
</li>
<li>
<p>Update to version 2.222:</p>
</li>
<li>
<p>Allow containers to read/write inherited dri devices</p>
</li>
<li>
<p>Update to version 2.221:</p>
</li>
<li>
<p>Allow containers to shutdown sockets inherited from container
runtimes</p>
</li>
<li>Allow spc_t to use execmod libraries on container file systems</li>
<li>Add boolean to allow containers to read all cert files</li>
<li>More MLS Policy allow rules</li>
<li>Allow container runtimes using pasta bind icmp_socket to port_t</li>
<li>
<p>Fix spc_t transitions from container_runtime_domain</p>
</li>
<li>
<p>Update to version 2.215.0:</p>
</li>
<li>
<p>Add some MLS rules to policy</p>
</li>
<li>Allow container runtime to dyntransition to spc_t</li>
<li>Tighten controls on confined users</li>
<li>Add labels for /var/lib/shared</li>
<li>Cleanup entrypoint definitions</li>
<li>Allow container_device_plugin_t access to debugfs</li>
<li>
<p>Allow containers which use devices to map them</p>
</li>
<li>
<p>Update to version 2.211.0:</p>
</li>
<li>Don't transition to initrc_t domains from spc_t</li>
<li>Add tunable to allow sshd_t to launch container engines</li>
<li>Allow syslogd_t gettatr on inheritited runtime tmpfs files</li>
<li>Add container_file_t and container_ro_file_t as user_home_type</li>
<li>Set default context for local-path-provisioner</li>
<li>
<p>Allow daemon to send dbus messages to spc_t by</p>
</li>
<li>
<p>Update to version 2.206.0:</p>
</li>
<li>Allow unconfined domains to transition to container_runtime_t </li>
<li>Allow container domains to transition to install_t </li>
<li>Allow avirt_sandbox_domain to manage container_file_t types </li>
<li>Allow containers to watch sysfs_t directories </li>
<li>Allow spc_t to transption to rpm_script_t </li>
<li>Smaller permission changes for container_init_t</li>
<li>
<p>Drop spc.patch, is now included</p>
</li>
<li>
<p>Update to version 2.198.0:</p>
</li>
<li>Fix spc_t transition rules on tmpfs_t</li>
<li>Changes from 2.197.0:</li>
<li>Add boolean containers_use_ecryptfs policy</li>
<li>Changes from 2.195.1:</li>
<li>Readd missing allow rules for container_t</li>
<li>Changes from 2.194.0:</li>
<li>Allow syslogd_t to use tmpfs files created by container runtime</li>
<li>Changes from 2.193.0:</li>
<li>Allow containers to mount tmpfs_t file systems</li>
<li>Label spc_t as a init initrc daemon</li>
<li>Allow userdomains to run containers</li>
<li>Changes from 2.191.0:</li>
<li>Create container_logwriter_t type</li>
<li>Changes from 2.190.1:</li>
<li>Support BuildKit</li>
<li>container.fc: Set label for kata-agent</li>
<li>support nerdctl</li>
<li>Changes from 2.190.0:</li>
<li>Packit: initial enablement</li>
<li>
<p>Allow iptables to list directories labeled as container_file_t</p>
</li>
<li>
<p>Changes from 2.189.0:</p>
</li>
<li>
<p>Dont audit searching other processes in /proc.</p>
</li>
<li>
<p>Allow privileged containers to use localectl (bsc#1207077)</p>
</li>
<li>Allow privileged containers to use timedatectl (bsc#1207054)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Micro for Rancher 5.4
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-5.4-2025-1181=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro 5.4
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-5.4-2025-1181=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Micro for Rancher 5.4 (noarch)
<ul>
<li>container-selinux-2.236.0-150400.3.3.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.4 (noarch)
<ul>
<li>container-selinux-2.236.0-150400.3.3.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1207054">https://bugzilla.suse.com/show_bug.cgi?id=1207054</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1207077">https://bugzilla.suse.com/show_bug.cgi?id=1207077</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221720">https://bugzilla.suse.com/show_bug.cgi?id=1221720</a>
</li>
</ul>
</div>