RHBA-2025:20110 - Bug Fix Advisory

Topic

An update for selinux-policy is now available for Red Hat Enterprise Linux 10.

Description

For detailed information on changes in this release, see the Red Hat Enterprise Linux 10 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 10 x86_64
• Red Hat Enterprise Linux for IBM z Systems 10 s390x
• Red Hat Enterprise Linux for Power, little endian 10 ppc64le
• Red Hat Enterprise Linux for ARM 64 10 aarch64
• Red Hat CodeReady Linux Builder for x86_64 10 x86_64
• Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le
• Red Hat CodeReady Linux Builder for ARM 64 10 aarch64
• Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x

Fixes

• RHEL-69450 - Confine the tuned-ppd service
• RHEL-82120 - afterburn.service fails in RHEL-10.0 (RHCOS) with SELinux enabled
• RHEL-83267 - [rhel-10] the switcheroo-control service runs under unconfined_service_t label
• RHEL-82299 - [rhel-10] SELinux prevents chronyc from talking to chronyd-restricted via socket
• RHEL-83921 - [rhel-10] avc: denied { setattr } for pid=6225 comm=cifs.idmap scontext=system_u:system_r:cifs_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
• RHEL-77779 - [rhel-10] the varnish service triggers SELinux denials
• RHEL-85319 - AVC denials happen when start a guest with disk that has data file and backing file
• RHEL-86258 - [rhel-10] SELinux denials appear when NetworkManager executes ping
• RHEL-86528 - [rhel-10] 'journalctl -M tux' fails due to AVC denied
• RHEL-86789 - [rhel-10] AVC generated by "systemd-user-runtime-dir stop 0" service when having directories with various contexts
• RHEL-87372 - bootupctl failed as missing rules
• RHEL-86176 - Selinux: ModemManager AVCs on RHEL10
• RHEL-86588 - bootupctl adopt failed
• RHEL-86678 - var/etc as selinux equivalent path to /etc
• RHEL-86780 - [rhel-10] SELinux denies NetworkManager to kill nft/iptables process
• RHEL-89587 - Ship EPEL related SELinux modules as selinux-policy-epel-* packages
• RHEL-56344 - [rhel-10] tlog lock files can't be created by confined SELinux users
• RHEL-65322 - Start vm with bridge type interface connected to ovs bridge triggers avc denied error
• RHEL-70730 - Resolve build gating failure due to RHEL 10 mass rebuild [mptcpd]
• RHEL-82090 - New policy to allow RHCS using cracklib-check
• RHEL-91602 - [rhel-10] avc: denied { setattr } for pid=12313 comm=key.dns_resolve scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
• RHEL-44628 - [hostdev]AVC denied when hotplugging/unplugging vHBA device to/from vm
• RHEL-44639 - AVC denied when hotplugging scsi lun to vm
• RHEL-87742 - [RHEL-10.1] New SELinux domain required for TDX confidential virtualization "qgs" daemon
• RHEL-95725 - selinux prevents daemon-stop(daemon-init) from create(unlink) to vm.xml.once
• RHEL-98559 - SELinux denies libvirt persistence of mediated device definitions
• RHEL-98656 - selinux-policy denies systemd_cryptsetup_generator_t
• RHEL-54303 - Rebase selinux-policy to the newest one available in Fedora 42
• RHEL-99318 - AVC denials for "allow virtqemud_t insights_core_t:dir search; allow virtqemud_t insights_core_t:file { open read };"
• RHEL-103661 - Resolve minor issues after selinux-policy rebase
• RHEL-104069 - Failed to start vm with encrypted vtpm on latest selinux-policy
• RHEL-76104 - AVC denials appear when starting/destroying a VM with hostdev CD/DVD
• RHEL-104344 - SELinux denials happen when cloning a VM with nvram
• RHEL-104378 - SELinux denials happen when destroying a domain with PCI hostdev
• RHEL-106119 - SELinux prevents nfs-server-generator from writing to /run/systemd/generator/ directory
• RHEL-65266 - Hotplug hostdev device will trigger avc denied error
• RHEL-65383 - AVC denied error when start vm with interface set with "<port isolated='yes'/>"
• RHEL-65037 - AVC denied error when try to allocate hugepages by "# virsh allocpages"
• RHEL-65385 - AVC denied error when macTableManager is set to libvirt in network's setting
• RHEL-70460 - SELinux prevents "alsactl monitor" command from watching /dev/snd/
• RHEL-69118 - [rhel-10] SELinux prevents the rpc-virtqemud from starting a VM which uses nbdkit
• RHEL-110651 - Revert selinux-policy rules to back insights-core policy module [rhel-10]

CVEs

(none)

References

• https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/10.1_release_notes/index