Recommended update for container-selinux

Announcement ID: SUSE-RU-2025:1181-1
Release Date: 2025-04-09T07:30:57Z
Rating: moderate
References:
Affected Products:
  • SUSE Linux Enterprise Micro 5.4
  • SUSE Linux Enterprise Micro for Rancher 5.4

An update that has three fixes can now be installed.

Description:

This update for container-selinux fixes the following issues:

  • Update to version 2.236.0:

  • Allow super privileged containers to use RealtimeKit for scheduling

  • Add container_ro_file_t to the podman artifact store

  • Update to version 2.235.0:

  • Bump to v2.235.0

  • container_log{reader,writer}_t: allow watch file
  • RPM: Update gating config
  • Enable aarch64 testing
  • TMT: simplify podman tests

  • feat: support /var/lib/crio

  • Update to version 2.234.2:

  • TMT: enable epel idomatically

  • Packit: switch back to fedora-all
  • RPM: Bump Epoch to 4
  • rpm: ship manpage
  • Add proper labeling for RamaLama
  • Packit: remove rhel / epel jobs

  • packit: remove unused file

  • Update to version 2.233.0:

  • container_engine_t: small change to allow non root exec in a container

  • RPM: explicitly list ghosted paths and skip mode verification
  • container-selinux install on non selinux-policy-targeted systems (#332)
  • set container_log_t type for /var/log/kube-apiserver
  • Allow kubelet_t to create a sock file kubelet_var_lib_t
  • dontaudit spc_t to mmap_zero
  • Packit: update targets (#330)
  • container_engine_t: another round of small improvements (#327)
  • Allow container_device_plugin_t to use the network (#325)
  • RPM: cleanup changelog (#324)

  • TMT: Simplify tests

  • Update to version 2.232.1:

  • TMT: fix srpm download syntax on rawhide

  • Packit: remove update_release key from downstream jobs (#313)
  • Update container-selinux.8 man page
  • Add ownership of /usr/share/udica (#312)
  • Packit/TMT: upstream maintenance of downstream gating tests
  • extend container_engine_t again
  • Allow spc_t to use localectl
  • Allow spc_t to use timedatectl

  • introduce container_use_xserver_devices boolean to allow GPU access

  • Update to version 2.231.0:

  • Allow container domains to communicate with spc_t unix_stream_sockets

  • Move to %posttrans to ensure selinux-policy got updated before the commands run (bsc#1221720)

  • Manual update to version 2.230.0+git4.a8e389d to include this commit that is needed for the main selinux-policy update to work:

  • Rename all /var/run file context entries to /run

  • Update to version 2.230.0:

  • Move to tar_scm based packaging: added _service and _servicedata

  • Allow containers to unmount file systems
  • Add buildah as a container_runtime_exec_t label
  • Additional rules for container_user_t

  • improve container_engine_t

  • Update to version 2.228:

  • Allow container domains to watch fifo_files

  • container_engine_t: improve for podman in kubernetes case
  • Allow spc_t to transition to install_t domain
  • Default to allowing containers to use dri devices
  • Allow access to BPF Filesystems
  • Fix kubernetes transition rule
  • Label kubensenter as well as kubenswrapper
  • Allow container domains to execute container_runtime_tmpfs_t files
  • Allow container domains to ptrace themselves
  • Allow container domains to use container_runtime_tmpfs_t as an entrypoint
  • Add boolean to allow containers to use dri devices
  • Give containers access to pod resources endpoint

  • Label kubenswrapper kubelet_exec_t

  • Update to version 2.222:

  • Allow containers to read/write inherited dri devices

  • Update to version 2.221:

  • Allow containers to shutdown sockets inherited from container runtimes

  • Allow spc_t to use execmod libraries on container file systems
  • Add boolean to allow containers to read all cert files
  • More MLS Policy allow rules
  • Allow container runtimes using pasta bind icmp_socket to port_t

  • Fix spc_t transitions from container_runtime_domain

  • Update to version 2.215.0:

  • Add some MLS rules to policy

  • Allow container runtime to dyntransition to spc_t
  • Tighten controls on confined users
  • Add labels for /var/lib/shared
  • Cleanup entrypoint definitions
  • Allow container_device_plugin_t access to debugfs

  • Allow containers which use devices to map them

  • Update to version 2.211.0:

  • Don't transition to initrc_t domains from spc_t
  • Add tunable to allow sshd_t to launch container engines
  • Allow syslogd_t gettatr on inheritited runtime tmpfs files
  • Add container_file_t and container_ro_file_t as user_home_type
  • Set default context for local-path-provisioner

  • Allow daemon to send dbus messages to spc_t by

  • Update to version 2.206.0:

  • Allow unconfined domains to transition to container_runtime_t
  • Allow container domains to transition to install_t
  • Allow avirt_sandbox_domain to manage container_file_t types
  • Allow containers to watch sysfs_t directories
  • Allow spc_t to transption to rpm_script_t
  • Smaller permission changes for container_init_t

  • Drop spc.patch, is now included

  • Update to version 2.198.0:

  • Fix spc_t transition rules on tmpfs_t
  • Changes from 2.197.0:
  • Add boolean containers_use_ecryptfs policy
  • Changes from 2.195.1:
  • Readd missing allow rules for container_t
  • Changes from 2.194.0:
  • Allow syslogd_t to use tmpfs files created by container runtime
  • Changes from 2.193.0:
  • Allow containers to mount tmpfs_t file systems
  • Label spc_t as a init initrc daemon
  • Allow userdomains to run containers
  • Changes from 2.191.0:
  • Create container_logwriter_t type
  • Changes from 2.190.1:
  • Support BuildKit
  • container.fc: Set label for kata-agent
  • support nerdctl
  • Changes from 2.190.0:
  • Packit: initial enablement

  • Allow iptables to list directories labeled as container_file_t

  • Changes from 2.189.0:

  • Dont audit searching other processes in /proc.

  • Allow privileged containers to use localectl (bsc#1207077)

  • Allow privileged containers to use timedatectl (bsc#1207054)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Micro for Rancher 5.4
    zypper in -t patch SUSE-SLE-Micro-5.4-2025-1181=1
  • SUSE Linux Enterprise Micro 5.4
    zypper in -t patch SUSE-SLE-Micro-5.4-2025-1181=1

Package List:

  • SUSE Linux Enterprise Micro for Rancher 5.4 (noarch)
    • container-selinux-2.236.0-150400.3.3.1
  • SUSE Linux Enterprise Micro 5.4 (noarch)
    • container-selinux-2.236.0-150400.3.3.1

References: