<div class="container">
<h1>Recommended update for container-selinux</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2025:20264-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-04-17T11:21:25Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221720">bsc#1221720</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.1</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that has one fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for container-selinux fixes the following issues:</p>
<ul>
<li>
<p>Update to version 2.236.0:</p>
</li>
<li>
<p>Allow super privileged containers to use RealtimeKit for scheduling</p>
</li>
<li>
<p>Add container_ro_file_t to the podman artifact store</p>
</li>
<li>
<p>Update to version 2.235.0:</p>
</li>
<li>
<p>Bump to v2.235.0</p>
</li>
<li>container_log{reader,writer}_t: allow watch file</li>
<li>RPM: Update gating config</li>
<li>
<p>feat: support /var/lib/crio</p>
</li>
<li>
<p>Update to version 2.234.2:</p>
</li>
<li>
<p>TMT: enable epel idomatically</p>
</li>
<li>Packit: switch back to fedora-all</li>
<li>RPM: Bump Epoch to 4</li>
<li>rpm: ship manpage</li>
<li>Add proper labeling for RamaLama</li>
<li>Packit: remove rhel / epel jobs</li>
<li>
<p>packit: remove unused file</p>
</li>
<li>
<p>Add BuildRequires selinux-policy-%{selinuxtype} to enable building
for SLFO. Might be removed in the future again when 1231252
is fixed.</p>
</li>
<li>
<p>Update to version 2.233.0:</p>
</li>
<li>
<p>container_engine_t: small change to allow non root exec in a container</p>
</li>
<li>RPM: explicitly list ghosted paths and skip mode verification</li>
<li>container-selinux install on non selinux-policy-targeted systems (#332)</li>
<li>set container_log_t type for /var/log/kube-apiserver</li>
<li>Allow kubelet_t to create a sock file kubelet_var_lib_t</li>
<li>dontaudit spc_t to mmap_zero</li>
<li>Packit: update targets (#330)</li>
<li>container_engine_t: another round of small improvements (#327)</li>
<li>Allow container_device_plugin_t to use the network (#325)</li>
<li>RPM: cleanup changelog (#324)</li>
<li>
<p>TMT: Simplify tests</p>
</li>
<li>
<p>Update to version 2.232.1:</p>
</li>
<li>
<p>Bump to v2.232.1</p>
</li>
<li>TMT: fix srpm download syntax on rawhide</li>
<li>Bump to 2.232.0</li>
<li>Packit: remove <code>update_release</code> key from downstream jobs (#313)</li>
<li>Update container-selinux.8 man page</li>
<li>Add ownership of /usr/share/udica (#312)</li>
<li>Packit/TMT: upstream maintenance of downstream gating tests</li>
<li>extend container_engine_t again</li>
<li>Allow spc_t to use localectl</li>
<li>Allow spc_t to use timedatectl</li>
<li>
<p>introduce container_use_xserver_devices boolean to allow GPU access</p>
</li>
<li>
<p>Update to version 2.231.0:</p>
</li>
<li>
<p>Allow container domains to communicate with spc_t unix_stream_sockets</p>
</li>
<li>
<p>Move to %posttrans to ensure selinux-policy got updated before
the commands run (bsc#1221720)</p>
</li>
<li>
<p>Manual update to version 2.230.0+git4.a8e389d to include this
commit that is needed for the main selinux-policy update to work:</p>
</li>
<li>
<p>Rename all /var/run file context entries to /run</p>
</li>
<li>
<p>Update to version 2.230.0:</p>
</li>
<li>
<p>Move to tar_scm based packaging: added _service and _servicedata</p>
</li>
<li>Allow containers to unmount file systems</li>
<li>Add buildah as a container_runtime_exec_t label</li>
<li>Additional rules for container_user_t</li>
<li>
<p>improve container_engine_t</p>
</li>
<li>
<p>Update to version 2.228:</p>
</li>
<li>
<p>Allow container domains to watch fifo_files</p>
</li>
<li>container_engine_t: improve for podman in kubernetes case</li>
<li>Allow spc_t to transition to install_t domain</li>
<li>Default to allowing containers to use dri devices</li>
<li>Allow access to BPF Filesystems</li>
<li>Fix kubernetes transition rule</li>
<li>Label kubensenter as well as kubenswrapper</li>
<li>Allow container domains to execute container_runtime_tmpfs_t files</li>
<li>Allow container domains to ptrace themselves</li>
<li>Allow container domains to use container_runtime_tmpfs_t as an entrypoint</li>
<li>Add boolean to allow containers to use dri devices</li>
<li>Give containers access to pod resources endpoint</li>
<li>
<p>Label kubenswrapper kubelet_exec_t</p>
</li>
<li>
<p>Update to version 2.222:</p>
</li>
<li>
<p>Allow containers to read/write inherited dri devices</p>
</li>
<li>
<p>Update to version 2.221:</p>
</li>
<li>
<p>Allow containers to shutdown sockets inherited from container
runtimes</p>
</li>
<li>Allow spc_t to use execmod libraries on container file systems</li>
<li>Add boolean to allow containers to read all cert files</li>
<li>More MLS Policy allow rules</li>
<li>Allow container runtimes using pasta bind icmp_socket to port_t</li>
<li>
<p>Fix spc_t transitions from container_runtime_domain</p>
</li>
<li>
<p>Update to version 2.215.0:</p>
</li>
<li>
<p>Add some MLS rules to policy</p>
</li>
<li>Allow container runtime to dyntransition to spc_t</li>
<li>Tighten controls on confined users</li>
<li>Add labels for /var/lib/shared</li>
<li>Cleanup entrypoint definitions</li>
<li>Allow container_device_plugin_t access to debugfs</li>
<li>Allow containers which use devices to map them</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.1
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.1-70=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.1 (noarch)
<ul>
<li>container-selinux-2.236.0-slfo.1.1_1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1221720">https://bugzilla.suse.com/show_bug.cgi?id=1221720</a>
</li>
</ul>
</div>