- Issued:
- 2025-11-11
- Updated:
- 2025-11-11
RHBA-2025:20533 - Bug Fix Advisory
Synopsis
selinux-policy bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for selinux-policy is now available for Red Hat Enterprise Linux 9.
Description
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- RHEL-69526 - Confine the tuned-ppd service
- RHEL-79319 - afterburn.service fails in RHEL-9.6 (RHCOS) with SELinux enabled
- RHEL-82308 - [rhel-9] SELinux prevents chronyc from talking to chronyd-restricted via socket
- RHEL-59145 - AVC generated by "systemd-user-runtime-dir stop 0" service when having directories with various contexts
- RHEL-77995 - [rhel-9] the varnish service triggers SELinux denials
- RHEL-83529 - [rhel-9] SELinux denials appear when NetworkManager executes ping
- RHEL-85379 - [rhel-9] 'journalctl -M tux' fails due to AVC denied
- RHEL-47241 - [rhel-9] tlog lock files can't be created by confined SELinux users
- RHEL-77745 - SELinux policy, preventing PAM stack execution when login executes.
- RHEL-86178 - Selinux: NetworkManager is denied to create temporary keyfile
- RHEL-88045 - SELinux prevents haproxy from mmap-ing /dev/shm/haproxy_startup_logs_* files
- RHEL-93741 - [rhel-9] SELinux denies NetworkManager to kill nft/iptables process
- RHEL-94508 - [c9s] bootupctl adopt get selinux denied logs
- RHEL-87744 - [RHEL-9.7] New SELinux domain required for TDX confidential virtualization "qgs" daemon
- RHEL-95689 - selinux reports avc denied during installation of coreos-installer-bootinfra
- RHEL-100718 - power-profiles-daemon selinux denial
- RHEL-95690 - SELinux prevents systemd_timedated_t to start/stop timemaster_unit_file_t
- RHEL-77101 - In RHEL9 SELinux prevents Postfix tlsproxy from accessing TCP sockets (TLS handshake failure)
- RHEL-110650 - Revert selinux-policy rules to back insights-core policy module [rhel-9]
CVEs
(none)
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux for x86_64 9
| SRPM | |
|---|---|
| selinux-policy-38.1.65-1.el9.src.rpm | SHA-256: b9e7269bb64eb50dd44133b0f88dfe13728c03655dac8f57e759d11a2cd57264 |
| x86_64 | |
| selinux-policy-38.1.65-1.el9.noarch.rpm | SHA-256: fb9d24fa5770a76e3c15677ec3c74f6910f89ded1d519dc94baedd8ee2db1938 |
| selinux-policy-devel-38.1.65-1.el9.noarch.rpm | SHA-256: 787d435a20fca5125fde9394375a4a5efb91d30d3a28850b53dc1b9b42712044 |
| selinux-policy-doc-38.1.65-1.el9.noarch.rpm | SHA-256: e6eae9bd884cc940cdc44ce00d5219a55e7f70aafba9ad5c2df1300e71fed1af |
| selinux-policy-mls-38.1.65-1.el9.noarch.rpm | SHA-256: 92e48396392ece1b2b0d8f1c645e7a8fcfd7233e3e5a6f65a8811ebd8e20b9c2 |
| selinux-policy-sandbox-38.1.65-1.el9.noarch.rpm | SHA-256: 818dbc490d892939f78fa0a6d828f99c92644cd902b09fbbdb7a3fedb56d57e4 |
| selinux-policy-targeted-38.1.65-1.el9.noarch.rpm | SHA-256: 30e7116093e0a96b5a156c017fc4a975ca0892fbe70ddf4b33eac12dad5965f5 |
Red Hat Enterprise Linux for IBM z Systems 9
| SRPM | |
|---|---|
| selinux-policy-38.1.65-1.el9.src.rpm | SHA-256: b9e7269bb64eb50dd44133b0f88dfe13728c03655dac8f57e759d11a2cd57264 |
| s390x | |
| selinux-policy-38.1.65-1.el9.noarch.rpm | SHA-256: fb9d24fa5770a76e3c15677ec3c74f6910f89ded1d519dc94baedd8ee2db1938 |
| selinux-policy-devel-38.1.65-1.el9.noarch.rpm | SHA-256: 787d435a20fca5125fde9394375a4a5efb91d30d3a28850b53dc1b9b42712044 |
| selinux-policy-doc-38.1.65-1.el9.noarch.rpm | SHA-256: e6eae9bd884cc940cdc44ce00d5219a55e7f70aafba9ad5c2df1300e71fed1af |
| selinux-policy-mls-38.1.65-1.el9.noarch.rpm | SHA-256: 92e48396392ece1b2b0d8f1c645e7a8fcfd7233e3e5a6f65a8811ebd8e20b9c2 |
| selinux-policy-sandbox-38.1.65-1.el9.noarch.rpm | SHA-256: 818dbc490d892939f78fa0a6d828f99c92644cd902b09fbbdb7a3fedb56d57e4 |
| selinux-policy-targeted-38.1.65-1.el9.noarch.rpm | SHA-256: 30e7116093e0a96b5a156c017fc4a975ca0892fbe70ddf4b33eac12dad5965f5 |
Red Hat Enterprise Linux for Power, little endian 9
| SRPM | |
|---|---|
| selinux-policy-38.1.65-1.el9.src.rpm | SHA-256: b9e7269bb64eb50dd44133b0f88dfe13728c03655dac8f57e759d11a2cd57264 |
| ppc64le | |
| selinux-policy-38.1.65-1.el9.noarch.rpm | SHA-256: fb9d24fa5770a76e3c15677ec3c74f6910f89ded1d519dc94baedd8ee2db1938 |
| selinux-policy-devel-38.1.65-1.el9.noarch.rpm | SHA-256: 787d435a20fca5125fde9394375a4a5efb91d30d3a28850b53dc1b9b42712044 |
| selinux-policy-doc-38.1.65-1.el9.noarch.rpm | SHA-256: e6eae9bd884cc940cdc44ce00d5219a55e7f70aafba9ad5c2df1300e71fed1af |
| selinux-policy-mls-38.1.65-1.el9.noarch.rpm | SHA-256: 92e48396392ece1b2b0d8f1c645e7a8fcfd7233e3e5a6f65a8811ebd8e20b9c2 |
| selinux-policy-sandbox-38.1.65-1.el9.noarch.rpm | SHA-256: 818dbc490d892939f78fa0a6d828f99c92644cd902b09fbbdb7a3fedb56d57e4 |
| selinux-policy-targeted-38.1.65-1.el9.noarch.rpm | SHA-256: 30e7116093e0a96b5a156c017fc4a975ca0892fbe70ddf4b33eac12dad5965f5 |
Red Hat Enterprise Linux for ARM 64 9
| SRPM | |
|---|---|
| selinux-policy-38.1.65-1.el9.src.rpm | SHA-256: b9e7269bb64eb50dd44133b0f88dfe13728c03655dac8f57e759d11a2cd57264 |
| aarch64 | |
| selinux-policy-38.1.65-1.el9.noarch.rpm | SHA-256: fb9d24fa5770a76e3c15677ec3c74f6910f89ded1d519dc94baedd8ee2db1938 |
| selinux-policy-devel-38.1.65-1.el9.noarch.rpm | SHA-256: 787d435a20fca5125fde9394375a4a5efb91d30d3a28850b53dc1b9b42712044 |
| selinux-policy-doc-38.1.65-1.el9.noarch.rpm | SHA-256: e6eae9bd884cc940cdc44ce00d5219a55e7f70aafba9ad5c2df1300e71fed1af |
| selinux-policy-mls-38.1.65-1.el9.noarch.rpm | SHA-256: 92e48396392ece1b2b0d8f1c645e7a8fcfd7233e3e5a6f65a8811ebd8e20b9c2 |
| selinux-policy-sandbox-38.1.65-1.el9.noarch.rpm | SHA-256: 818dbc490d892939f78fa0a6d828f99c92644cd902b09fbbdb7a3fedb56d57e4 |
| selinux-policy-targeted-38.1.65-1.el9.noarch.rpm | SHA-256: 30e7116093e0a96b5a156c017fc4a975ca0892fbe70ddf4b33eac12dad5965f5 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
