<div class="container">
<h1>Recommended update for selinux-policy</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2026:20098-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-01-19T14:46:34Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>critical</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1231354">bsc#1231354</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1233358">bsc#1233358</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241964">bsc#1241964</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244459">bsc#1244459</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244573">bsc#1244573</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1246080">bsc#1246080</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1246559">bsc#1246559</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251789">bsc#1251789</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251931">bsc#1251931</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252095">bsc#1252095</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252431">bsc#1252431</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252992">bsc#1252992</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252993">bsc#1252993</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253098">bsc#1253098</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253389">bsc#1253389</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254395">bsc#1254395</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254889">bsc#1254889</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1255024">bsc#1255024</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that has 18 fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for selinux-policy fixes the following issues:</p>
<p>Changes in selinux-policy:</p>
<p>Update to version 20250627+git345.3965b24b0:</p>
<ul>
<li>Allow 'mysql-systemd-helper upgrade' to work correctly (bsc#1255024) </li>
</ul>
<p>Update to version 20250627+git343.b66ec7135:</p>
<ul>
<li>Allow snapper_tu_etc_plugin_t to connect to machined varlink socket (bsc#1254889)</li>
</ul>
<p>Update to version 20250627+git341.4beeb2d65:</p>
<ul>
<li>Allow virtlogd_t dac_override (bsc#1253389)</li>
<li>Introduce systemd_cryptsetup_generator_var_run_t file type (bsc#1244459)</li>
<li>Allow virtqemud_t to read/write device_t (bsc#1251789)</li>
<li>update support for polkit agent helper (bsc#1251931)</li>
<li>Allow system_mail_t read apache system content conditionally</li>
<li>Allow login_userdomain read lastlog</li>
<li>Allow sshd-net read and write to sshd vsock socket</li>
<li>Update ktls policy</li>
<li>Add comprehensive SELinux policy module for bwrap thumbnail generation</li>
<li>Revert "Allow thumb_t create permission in the user namespace"</li>
<li>Allow systemd-machined read svirt process state</li>
<li>Allow sshd_auth_t getopt/setopt on tcp_socket (bsc#1252992)</li>
<li>Allow sysadm access to TPM</li>
<li>Allow tlp get the attributes of the pidfs filesystem</li>
<li>Allow kmscon to read netlink_kobject_uevent_socket</li>
<li>Allow systemd-ssh-issue read kernel sysctls</li>
<li>fix: bz2279215 Allow speech-dispatcher access to user home/cache files</li>
<li>Allow create kerberos files in postgresql db home</li>
<li>Fix files_delete_boot_symlinks() to contain delete_lnk_files_pattern</li>
<li>Allow shell comamnds in locate systemd service (bsc#1246559)</li>
<li>Introduce initrc_nnp_daemon_domain interface</li>
<li>Label /var/lib/cosmic-greeter with xdm_var_lib_t</li>
<li>Allow setroubleshoot-fixit get attributes of xattr fs</li>
<li>Allow insights-client manage /etc symlinks</li>
<li>Allow insights-client get attributes of the rpm executable</li>
<li>Allow nfsidmapd search virt lib directories</li>
<li>Allow iotop stream connect to systemd-userdbd</li>
<li>Allow snapper_sdbootutil_plugin_t manage unlabeled_t files,dirs,symlinks (bsc#1252993)</li>
<li>Allow gnome-remote-desktop read sssd public files</li>
<li>Allow thumb_t stream connect to systemd-userdbd</li>
<li>Add auth_nnp_domtrans_chkpwd()</li>
<li>Allow sshd_auth_t getopt/setopt on tcp_socket (bsc#1252992)</li>
<li>Allow bluez dbus API passing unix domain sockets</li>
<li>Allow bluez dbus api pass sockets over dbus</li>
<li>Dontaudit systemd-generator connect to sssd over a unix stream socket</li>
<li>Allow init watch/watch_reads systemd-machined user ptys</li>
<li>Introduce sap_service_transition_to_unconfined_user boolean</li>
<li>allow init to read sap symlinks</li>
<li>
<p>Allow SAP domain to relocation text in all files</p>
</li>
<li>
<p>Fix macros.selinux-policy to allow changing booleans when policy
is not loaded. Previous logic was broken (bsc#1254395)</p>
</li>
</ul>
<p>Update to version 20250627+git293.3432d4834:</p>
<ul>
<li>Allow pcscd_t to search cgroup (bsc#1253098)</li>
<li>Fix syntax error in userdomain.if</li>
<li>Allow nnp_transition for OpenSMTPD (bsc#1252431)</li>
<li>Allow ras-mc-ctl get attributes of the kmod executable</li>
<li>Define file equivalency for /var/opt</li>
<li>Allow virtnodedev_t the perfmon capability</li>
<li>Allow nut_upsdrvctl_t the sys_ptrace capability</li>
<li>Label /usr/lib/systemd/user/graphical-session-pre.target with xdm_unit_file_t</li>
<li>Allow snapper sdbootutil plugin read emmc devices (bsc#1231354)</li>
<li>Allow pcrlock to delete pid entries</li>
<li>Allow systemd_pcrlock_t to manage its pid files</li>
<li>Mark snapper_sdbootutil_plugin_t as permissive</li>
<li>Drop unnamed filetrans, should be done upstream (bsc#1241964)</li>
<li>Label pcrlock pid file correctly (bsc#1241964)</li>
<li>Allow snapper sdbootutil plugin send msg to system bus (bsc#1241964)</li>
<li>snapper takes output from stdout/err, allow pcrlock to write</li>
<li>Add tpm2_getcap permissions to snapper sdbootutil (bsc#1244573)</li>
<li>Allow snapper sdbootutil plugin to read snapper data and conf</li>
<li>Allow snapper sdbootutil plugin to grep /proc/stat (bsc#1241964)</li>
<li>Replace snapper tmp file access for pcrlock (bsc#1241964)</li>
<li>Allow snapper sdbootutil read kernel module dirs (bsc#1241964)</li>
<li>Allow snapper sdbootutil plugin use bootctl (bsc#1241964)</li>
<li>Allow snapper sdbootutil plugin to list and read sysfs (bsc#1241964)</li>
<li>Allow snapper sdbootutil sys_admin (bsc#1241964)</li>
<li>Allow snapper sdbootutils plugin to findmnt (bsc#1241964)</li>
<li>Allow snapper sdbootutil plugin rw tpm (bsc#1233358)</li>
<li>Move manage dos permissions and dontaudit execmem to snapper sdbootutils plugin (bsc#1241964)</li>
<li>Move snapper domtrans to sdbootutil to plugin (bsc#1241964)</li>
<li>Revert snapper access to keys, move to sdbootutils plugin policy (bsc#1241964)</li>
<li>Add initial seperate policy for sdbootutil called by snapper (bsc#1233358)</li>
<li>Allow sort in snapper_grub_plugin_t read cpu.max (bsc#1252095)</li>
<li>systemd-sysctl: allow rw on binfm_misc_fs_t to set binfmt_misc status</li>
<li>Allow cupsd to manage cupsd_rw_etc_t lnk_files</li>
<li>Set temporary no-stub resolv.conf file from NetworkManager as net_conf_t</li>
<li>Allow spamc read aliases file</li>
<li>Mark configfs_t as mountpoint (bsc#1246080)</li>
<li>Allow systemd-machined watch cgroup files</li>
<li>Allow sshd-auth read generic proc files</li>
<li>Allow sshd-auth read and write user domain ptys</li>
<li>Allow logwatch read and write sendmail unix stream sockets</li>
<li>Allow logwatch domain transition on rpm execution</li>
<li>Allow thumb_t mounton its private tmpfs files</li>
<li>Allow thumb_t create permission in the user namespace</li>
<li>Allow corenet_unconfined_type name_bind to icmp_socket</li>
<li>Allow systemd-networkd to manage systemd_networkd_var_lib_t files</li>
<li>Allow sshd-session get attributes of sshd vsock socket</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-154=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-154=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (noarch)
<ul>
<li>selinux-policy-sandbox-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-targeted-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-devel-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-minimum-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-doc-20250627+git345.3965b24b0-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
<ul>
<li>selinux-policy-sandbox-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-targeted-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-devel-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-minimum-20250627+git345.3965b24b0-160000.1.1</li>
<li>selinux-policy-doc-20250627+git345.3965b24b0-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1231354">https://bugzilla.suse.com/show_bug.cgi?id=1231354</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1233358">https://bugzilla.suse.com/show_bug.cgi?id=1233358</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241964">https://bugzilla.suse.com/show_bug.cgi?id=1241964</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244459">https://bugzilla.suse.com/show_bug.cgi?id=1244459</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244573">https://bugzilla.suse.com/show_bug.cgi?id=1244573</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1246080">https://bugzilla.suse.com/show_bug.cgi?id=1246080</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1246559">https://bugzilla.suse.com/show_bug.cgi?id=1246559</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251789">https://bugzilla.suse.com/show_bug.cgi?id=1251789</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251931">https://bugzilla.suse.com/show_bug.cgi?id=1251931</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252095">https://bugzilla.suse.com/show_bug.cgi?id=1252095</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252431">https://bugzilla.suse.com/show_bug.cgi?id=1252431</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252992">https://bugzilla.suse.com/show_bug.cgi?id=1252992</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252993">https://bugzilla.suse.com/show_bug.cgi?id=1252993</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253098">https://bugzilla.suse.com/show_bug.cgi?id=1253098</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253389">https://bugzilla.suse.com/show_bug.cgi?id=1253389</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254395">https://bugzilla.suse.com/show_bug.cgi?id=1254395</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254889">https://bugzilla.suse.com/show_bug.cgi?id=1254889</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1255024">https://bugzilla.suse.com/show_bug.cgi?id=1255024</a>
</li>
</ul>
</div>