<div class="container">
<h1>Recommended update for selinux-policy</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2025:21003-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-11-17T15:06:01Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>critical</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1205770">bsc#1205770</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1229587">bsc#1229587</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1232226">bsc#1232226</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1235731">bsc#1235731</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1238137">bsc#1238137</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1240883">bsc#1240883</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242998">bsc#1242998</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244573">bsc#1244573</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1245470">bsc#1245470</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1247875">bsc#1247875</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249052">bsc#1249052</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249370">bsc#1249370</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249435">bsc#1249435</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250661">bsc#1250661</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250696">bsc#1250696</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250974">bsc#1250974</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251227">bsc#1251227</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251793">bsc#1251793</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251862">bsc#1251862</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251923">bsc#1251923</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251952">bsc#1251952</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that has 21 fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for selinux-policy fixes the following issues:</p>
<p>Changes in selinux-policy:</p>
<p>Update to version 20250627+git239.fcbf2d509:</p>
<ul>
<li>fail2ban: bump module version</li>
<li>fail2ban: allow fail2ban to watch all log files and dirs (bsc#1251952)</li>
<li>fail2ban: fix typos in interface descriptions</li>
<li>fail2ban: tweak file context regex for /run/fail2ban</li>
<li>fail2ban: drop file context for old rc.d file</li>
<li>Allow wicket to manage its proc directories (bsc#1235731)</li>
<li>Allow NM to manage wicked pid files (bsc#1235731)</li>
<li>Allow NM to reach systemd unit files (bsc#1235731)</li>
<li>Make wicked script backwards compatible (bsc#1251923)</li>
<li>Allow snapper grub plugin to domtrans to bootloader_t (bsc#1251862)</li>
<li>Allow salt_t transition to rpm_script_t (bsc#1250696)</li>
<li>grub snapper plugin is now named 00-grub (bsc#1251793)</li>
<li>Assign alts_exec_t exec_file attribute (bsc#1250974)</li>
<li>Add equivalency between /srv/tomcat and /var/lib/tomcat (bsc#1251227)</li>
<li>Allow sshd_session_t write to wtmpdb</li>
<li>Support /usr/libexec/ssh as well as openssh folder</li>
<li>Set xenstored_use_store_type_domain boolean true(bsc#1247875)</li>
<li>Adjust guest and xguest users policy for sshd-session</li>
<li>Allow valkey-server create and use netlink_rdma_socket</li>
<li>Allow blueman get attributes of filesystems with extended attributes</li>
<li>Update files_search_base_file_types()</li>
<li>Introduce unconfined wicked_script_t (bsc#1205770, bsc#1250661)</li>
<li>Allow geoclue get attributes of the /dev/shm filesystem</li>
<li>Allow apcupsd get attributes of the /dev/shm filesystem</li>
<li>Allow sshd-session read cockpit pid files</li>
<li>Add /opt/.snapshots to the snapper file context (bsc#1232226)</li>
<li>Allow nfs generator create and use netlink sockets</li>
<li>Conditionally allow virt guests to read certificates in user home directories</li>
<li>xenstored_t needs CAP_SYS_ADMIN for XENSTORETYPE=domain (bsc#1247875)</li>
<li>Allow nfs-generator create and use udp sockets</li>
<li>Allow kdump search kdumpctl_tmp_t directories</li>
<li>Allow init open and read user tmp files</li>
<li>Fix the systemd_logind_stream_connect() interface</li>
<li>Allow staff and sysadm execute iotop using sudo</li>
<li>Allow sudodomains connect to systemd-logind over a unix socket</li>
<li>/boot/efi is dosfs_t and kdump needs to access it (bsc#1249370)</li>
<li>Add default contexts for sshd-seesion</li>
<li>Define types for new openssh executables</li>
<li>Fix systemd_manage_unit_symlinks() interface definition</li>
<li>Support coreos installation methods</li>
<li>Add a new type for systemd-ssh-issue PID files</li>
<li>Allow gnome-remote-desktop connect to unreserved ports</li>
<li>Zypper moves files in /var/tmp to /var/cache (bsc#1249052, bsc#1249435)</li>
<li>Allow mdadm the CAP_SYS_PTRACE capability</li>
<li>Allow iptables manage its private fifo_files in /tmp</li>
<li>Allow auditd manage its private run dirs</li>
<li>Revert "Allow virt_domain write to virt_image_t files"</li>
<li>Allow gdm create /etc/.pwd.lock with a file transition</li>
<li>Allow gdm bind a socket in the /run/systemd/userdbd directory</li>
<li>Allow nsswitch_domain connect to xdm over a unix domain socket</li>
<li>Allow systemd homed getattr all tmpfs files (bsc#1240883)</li>
<li>Allow systemd (PID 1) create lastlog entries</li>
<li>Allow systemd_homework_t transition pid files to lvm_var_run_t (bsc#1240883)</li>
<li>Allow gnome-remote-desktop speak with tabrmd over dbus (bsc#1244573)</li>
<li>Allow nm-dispatcher iscsi and sendmail plugins get pidfs attributes</li>
<li>Allow systemd-oomd watch tmpfs dirs</li>
<li>Allow chronyc the setgid and setuid capabilities</li>
<li>Label /usr/lib/systemd/systemd-ssh-issue with systemd_ssh_issue_exec_t</li>
<li>Allow stalld map sysfs files</li>
<li>Allow NetworkManager-dispatcher-winbind get pidfs attributes</li>
<li>Allow openvpn create and use generic netlink socket</li>
<li>policy_capabilities: remove estimated from released versions</li>
<li>policy_capabilities: add stub for userspace_initial_context</li>
<li>add netlink_xperm policy capability and nlmsg permission definitions</li>
<li>policy_capabilities: add ioctl_skip_cloexec</li>
<li>selinux-policy: add allow rule for tuned_ppd_t</li>
<li>selinux-policy: add allow rule for switcheroo_control_t</li>
<li>Label /run/audit with auditd_var_run_t</li>
<li>Allow virtqemud start a vm which uses nbdkit</li>
<li>Add nbdkit_signal() and nbdkit_signull() interfaces</li>
<li>Fix insights_client interfaces names</li>
<li>Add insights_core and insights_client interfaces</li>
<li>Fix selinux-autorelabel-generator label after upstream changes</li>
<li>Revert "Remove the mysql module sources"</li>
<li>Revert "Allow rasdaemon write access to sysfs (bsc#1229587)"</li>
<li>Reset postfix.fc to upstream, add alias instead</li>
<li>dist/targeted/modules.conf: enable slrnpull module</li>
<li>Allow bootupd delete symlinks in the /boot directory</li>
<li>Allow systemd-coredumpd capabilities in the user namespace</li>
<li>Allow openvswitch read virtqemud process state</li>
<li>Allow systemd-networkd to create leases directory</li>
<li>Apply generator template to selinux-autorelabel generator</li>
<li>Support virtqemud handle hotplug hostdev devices</li>
<li>Allow virtstoraged create qemu /var/run files</li>
<li>Allow unconfined_domain_type cap2_userns capabilities</li>
<li>Label /usr/libexec/postfix/tlsproxy with postfix_smtp_exec_t</li>
<li>Remove the mysql module sources</li>
<li>dist/targeted/modules.conf: Enable kmscon module (bsc#1238137)</li>
<li>Update kmscon policy module to kmscon version 9 (bsc#1238137)</li>
<li>Allow login to getattr pidfs</li>
<li>Allow systemd to map files under /sys</li>
<li>systemd: drop duplicate init_nnp_daemon_domain lines</li>
<li>Fix typo</li>
<li>Allow logwatch stream connect to opensmtpd</li>
<li>Allow geoclue read NetworkManager pid files</li>
<li>Allow unconfined user a file transition for creating sudo log directory</li>
<li>Allow virtqemud read/write inherited dri devices</li>
<li>Allow xdm_t create user namespaces</li>
<li>Update policy for login_userdomain</li>
<li>Add ppd_base_profile to file transition to get tuned_rw_etc_t type</li>
<li>Update policy for bootupd</li>
<li>Allow logwatch work with opensmtpd</li>
<li>Update dovecot policy for dovecot 2.4.1</li>
<li>Allow ras-mc-ctl write to sysfs files</li>
<li>Allow anaconda-generator get attributes of all filesystems</li>
<li>Add the rhcd_rw_fifo_files() interface</li>
<li>Allow systemd-coredump the sys_chroot capability</li>
<li>Allow hostapd write to socket files in /tmp</li>
<li>Recognize /var/home as an alternate path for /home</li>
<li>Label /var/lib/lastlog with lastlog_t</li>
<li>Allow virtqemud write to sysfs files</li>
<li>Allow irqbalance search sssd lib directories</li>
<li>Allow samba-dcerpcd send sigkills to passwd</li>
<li>Allow systemd-oomd watch dbus pid sock files</li>
<li>Allow some confined users read and map generic log files</li>
<li>Allow login_userdomain watch the /run/log/journal directory</li>
<li>Allow login_userdomain dbus chat with tuned-ppd</li>
<li>Allow login_userdomain dbus chat with switcheroo-control</li>
<li>Allow userdomain to connect to systemd-oomd over a unix socket</li>
<li>Add insights_client_delete_lib_dirs() interface</li>
<li>Allow virtqemud_t use its private tmpfs files (bsc#1242998)</li>
<li>Allow virtqemud_t setattr to /dev/userfaultfd (bsc#1242998)</li>
<li>Allow virtqemud_t read and write /dev/ptmx (bsc#1242998)</li>
<li>Extend virtqemud_t tcp_socket permissions (bsc#1242998)</li>
<li>Allow virtqemud_t to read and write generic pty (bsc#1242998)</li>
<li>Allow systemd-importd create and unlink init pid socket</li>
<li>Allow virtqemud handle virt_content_t chr files</li>
<li>Allow svirt read virtqemud fifo files</li>
<li>All sblim-sfcbd the dac_read_search capability</li>
<li>Allow sblim domain read systemd session files</li>
<li>Allow sblim-sfcbd execute dnsdomainname</li>
<li>Confine nfs-server generator</li>
<li>Allow systemd-timedated start/stop timemaster services</li>
<li>Allow "hostapd_cli ping" run as a systemd service</li>
<li>Allow power-profiles-daemon get attributes of filesystems with extended attributes</li>
<li>Allow 'oomctl dump' to interact with systemd-oomd</li>
<li>Basic functionality for systemd-oomd</li>
<li>Basic enablement for systemd-oomd</li>
<li>Allow samba-bgqd send to smbd over a unix datagram socket</li>
<li>Update kernel_secretmem_use()</li>
<li>Add the file/watch_mountns permission</li>
<li>Update systemd-generators policy</li>
<li>Allow plymouthd_t read proc files of systemd_passwd_agent (bsc#1245470)</li>
<li>Allow insights-client file transition for files in /var/tmp</li>
<li>Allow tuned-ppd manage tuned log files</li>
<li>Allow systemd-coredump mount on tmpfs filesystems</li>
<li>Update sssd_dontaudit_read_public_files()</li>
<li>Allow zram-generator raw read fixed disk device</li>
<li>Add fs_write_cgroup_dirs() and fs_setattr_cgroup_dirs() interfaces</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-20=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-20=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (noarch)
<ul>
<li>selinux-policy-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-sandbox-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-devel-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-doc-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-minimum-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-targeted-20250627+git239.fcbf2d509-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
<ul>
<li>selinux-policy-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-sandbox-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-devel-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-doc-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-minimum-20250627+git239.fcbf2d509-160000.1.1</li>
<li>selinux-policy-targeted-20250627+git239.fcbf2d509-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1205770">https://bugzilla.suse.com/show_bug.cgi?id=1205770</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1229587">https://bugzilla.suse.com/show_bug.cgi?id=1229587</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1232226">https://bugzilla.suse.com/show_bug.cgi?id=1232226</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1235731">https://bugzilla.suse.com/show_bug.cgi?id=1235731</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1238137">https://bugzilla.suse.com/show_bug.cgi?id=1238137</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1240883">https://bugzilla.suse.com/show_bug.cgi?id=1240883</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242998">https://bugzilla.suse.com/show_bug.cgi?id=1242998</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244573">https://bugzilla.suse.com/show_bug.cgi?id=1244573</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1245470">https://bugzilla.suse.com/show_bug.cgi?id=1245470</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1247875">https://bugzilla.suse.com/show_bug.cgi?id=1247875</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249052">https://bugzilla.suse.com/show_bug.cgi?id=1249052</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249370">https://bugzilla.suse.com/show_bug.cgi?id=1249370</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249435">https://bugzilla.suse.com/show_bug.cgi?id=1249435</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250661">https://bugzilla.suse.com/show_bug.cgi?id=1250661</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250696">https://bugzilla.suse.com/show_bug.cgi?id=1250696</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250974">https://bugzilla.suse.com/show_bug.cgi?id=1250974</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251227">https://bugzilla.suse.com/show_bug.cgi?id=1251227</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251793">https://bugzilla.suse.com/show_bug.cgi?id=1251793</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251862">https://bugzilla.suse.com/show_bug.cgi?id=1251862</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251923">https://bugzilla.suse.com/show_bug.cgi?id=1251923</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251952">https://bugzilla.suse.com/show_bug.cgi?id=1251952</a>
</li>
</ul>
</div>