From 71cfc5da29bf8fcbc66c23e3a88ef6499d32b3be Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 26 Oct 2025 15:33:36 +0200
Subject: [PATCH 1/4] Configure package_libselinux for sle16 platform

---
 .../guide/system/selinux/package_libselinux_installed/rule.yml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
index 1d0fcaf7fc2..a4b9dcfe3de 100644
--- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml
@@ -29,3 +29,4 @@ template:
     vars:
         pkgname: libselinux
         pkgname@sle15: libselinux1
+        pkgname@sle16: libselinux1

From a1405925064dd2504b9a7a49b6c91877e35444d2 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 26 Oct 2025 15:34:40 +0200
Subject: [PATCH 2/4] Fix login_defs path for sle16

---
 product_properties/10-login-defs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/product_properties/10-login-defs.yml b/product_properties/10-login-defs.yml
index a9643fe5a99..0ba95753f76 100644
--- a/product_properties/10-login-defs.yml
+++ b/product_properties/10-login-defs.yml
@@ -2,6 +2,6 @@ default:
   login_defs_path: "/etc/login.defs"
 
 overrides:
-{{% if product == 'slmicro6' %}}
+{{% if product in [ 'slmicro6', 'sle16' ] %}}
   login_defs_path: "/usr/etc/login.defs"
 {{% endif %}}

From 414cc3ff2dce5afc9f726be4ada9d2dc29ffff56 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 26 Oct 2025 15:36:38 +0200
Subject: [PATCH 3/4] Fix/enable grub2 arguments macros for sle16

---
 shared/macros/10-ansible.jinja | 14 +++++++-------
 shared/macros/10-bash.jinja    | 10 +++++-----
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index cfd87ef9046..beec9a0be5f 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1501,7 +1501,7 @@ Part of the grub2_bootloader_argument template.
 
 #}}
 {{%- macro ansible_grub2_bootloader_argument(arg_name, arg_name_value, arg_variable) -%}}
-{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15', 'slmicro5'] %}}
+{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15', 'sle16', 'slmicro5'] %}}
 - name: Check {{{ arg_name }}} argument exists
   ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=' /etc/default/grub
   check_mode: False
@@ -1541,7 +1541,7 @@ Part of the grub2_bootloader_argument template.
 
 {{% endif -%}}
 
-{{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
+{{% if product in ['sle12', 'sle15', 'sle16', 'slmicro5'] %}}
 - name: Update grub defaults and the bootloader menu
   ansible.builtin.command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
 {{% elif 'debian' in product %}}
@@ -1580,9 +1580,9 @@ Part of the grub2_bootloader_argument_absent template.
 
 #}}
 {{%- macro ansible_grub2_bootloader_argument_absent(arg_name) -%}}
-{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15'] %}}
+{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15', 'sle16'] %}}
 - name: Check {{{ arg_name }}} argument exists
-  ansible.builtin.command: grep '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' /etc/default/grub
+  ansible.builtin.command: grep -E '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=?.*"' /etc/default/grub
   check_mode: False
   failed_when: False
   changed_when: False
@@ -1591,13 +1591,13 @@ Part of the grub2_bootloader_argument_absent template.
 - name: Replace existing {{{ arg_name }}} argument
   ansible.builtin.replace:
       path: /etc/default/grub
-      regexp: '\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=?[^[:space:]]*\(.*"\)'
-      replace: '\1 \2'
+      regexp: (^GRUB_CMDLINE_LINUX=\".*){{{ arg_name }}}(\s|=[0-9a-zA-Z]+)?(.*\")
+      replace: '\1 \3'
   when: argcheck is not skipped and argcheck.rc == 0
 
 {{% endif -%}}
 
-{{% if product in ['sle12', 'sle15'] %}}
+{{% if product in ['sle12', 'sle15', 'sle16'] %}}
 - name: Update grub defaults and the bootloader menu
   ansible.builtin.command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
 {{% elif 'debian' in product %}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index d164843c117..18e8db8d697 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -1969,7 +1969,7 @@ Part of the grub2_bootloader_argument template.
 
 #}}
 {{% macro grub2_bootloader_argument_remediation(arg_name, arg_name_value) %}}
-{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15', 'slmicro5'] %}}
+{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15', 'sle16', 'slmicro5'] %}}
 {{{ update_etc_default_grub_manually(arg_name, arg_name_value) }}}
 {{% endif -%}}
 {{{ grub_command("add", arg_name_value) }}}
@@ -1985,7 +1985,7 @@ Part of the grub2_bootloader_argument template.
 #}}
 {{%- macro update_etc_default_grub_manually_absent(arg_name) -%}}
 # Correct the form of default kernel command line in GRUB
-if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"'  '/etc/default/grub' ; then
+if grep -q -E '^GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=?.*"'  '/etc/default/grub' ; then
        sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ arg_name }}}=\?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
 fi
 {{%- endmacro %}}
@@ -2000,7 +2000,7 @@ Part of the grub2_bootloader_argument_absent template.
 
 #}}
 {{% macro grub2_bootloader_argument_absent_remediation(arg_name) %}}
-{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15', 'slmicro5'] %}}
+{{% if 'ubuntu' in product or product in ['ol7', 'sle12', 'sle15', 'sle16', 'slmicro5'] %}}
 {{{ update_etc_default_grub_manually_absent(arg_name) }}}
 {{% endif -%}}
 {{{ grub_command("remove", arg_name) }}}
@@ -2285,11 +2285,11 @@ for f in $(echo -n "{{{ files }}}"); do
     # find key in section and change value
     if grep -qzosP "[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then
         if ! grep -qPz "{{{ key }}}={{{ value }}}" "$f"; then
-{{% if no_quotes %}}    
+{{% if no_quotes %}}
             sed -i "s/{{{ key }}}[^(\n)]*/{{{ key }}}={{{ value | replace("/", "\/") }}}/" "$f"
 {{% else %}}
             sed -i 's/{{{ key }}}[^(\n)]*/{{{ key }}}="{{{ value | replace("/", "\/") }}}"/' "$f"
-{{% endif %}}    
+{{% endif %}}
         fi
 
         found=true

From ce8d261156d44576c434a100b62fbb0c84f491f7 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Sun, 26 Oct 2025 15:38:45 +0200
Subject: [PATCH 4/4] Enable grub2 and libselinux rules for sle16 base profile

---
 products/sle16/profiles/base.profile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/products/sle16/profiles/base.profile b/products/sle16/profiles/base.profile
index 1d6c2bcfd35..0db9a87de0f 100644
--- a/products/sle16/profiles/base.profile
+++ b/products/sle16/profiles/base.profile
@@ -17,3 +17,8 @@ description: |-
 
 selections:
     - base_sle16:all
+    - package_libselinux_installed
+    - no_shelllogin_for_systemaccounts
+    - grub2_spectre_v2_argument
+    - grub2_nosmep_argument_absent
+    - grub2_audit_argument