diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go index 319d24cd931..3435df374ac 100644 --- a/toolkit/tools/imagegen/installutils/installutils.go +++ b/toolkit/tools/imagegen/installutils/installutils.go @@ -55,6 +55,9 @@ const ( // CmdlineSELinuxEnforcingArg is the arg required for forcing SELinux to be in enforcing mode. CmdlineSELinuxEnforcingArg = "enforcing=1" + // CmdlineSELinuxPermissiveArg is the arg required for SELinux to be in permissive mode. + CmdlineSELinuxPermissiveArg = "enforcing=0" + // CmdlineSELinuxSettings is the kernel command-line args for enabling SELinux. CmdlineSELinuxSettings = CmdlineSELinuxSecurityArg + " " + CmdlineSELinuxEnabledArg diff --git a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go index ab7d4ed8b77..ccdf2c7d1b8 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go +++ b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go @@ -136,6 +136,21 @@ func (b *BootCustomizer) UpdateSELinuxCommandLine(selinuxMode imagecustomizerapi return nil } +// Update the image's SELinux kernel command-line args. +func (b *BootCustomizer) UpdateSELinuxCommandLineWithEnforcingArg(selinuxMode imagecustomizerapi.SELinuxMode) error { + newSELinuxArgs, err := selinuxModeToArgsWithEnforcingArg(selinuxMode) + if err != nil { + return err + } + + err = b.UpdateKernelCommandLineArgs(defaultGrubFileVarNameCmdlineForSELinux, selinuxArgNames, newSELinuxArgs) + if err != nil { + return err + } + + return nil +} + func (b *BootCustomizer) UpdateKernelCommandLineArgs(defaultGrubFileVarName defaultGrubFileVarName, argsToRemove []string, newArgs []string, ) error { diff --git a/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go b/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go index d02b8ac6c4a..d7b2c316d8e 100644 --- a/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go +++ b/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go @@ -591,6 +591,28 @@ func selinuxModeToArgs(selinuxMode imagecustomizerapi.SELinuxMode) ([]string, er return newSELinuxArgs, nil } +// Converts an SELinux mode into the list of required command-line args for that mode (with enforcing mode). +func selinuxModeToArgsWithEnforcingArg(selinuxMode imagecustomizerapi.SELinuxMode) ([]string, error) { + newSELinuxArgs := []string(nil) + switch selinuxMode { + case imagecustomizerapi.SELinuxModeDisabled: + newSELinuxArgs = []string{installutils.CmdlineSELinuxDisabledArg} + + case imagecustomizerapi.SELinuxModeForceEnforcing: + newSELinuxArgs = []string{installutils.CmdlineSELinuxSecurityArg, installutils.CmdlineSELinuxEnabledArg, + installutils.CmdlineSELinuxEnforcingArg} + + case imagecustomizerapi.SELinuxModePermissive, imagecustomizerapi.SELinuxModeEnforcing: + newSELinuxArgs = []string{installutils.CmdlineSELinuxSecurityArg, installutils.CmdlineSELinuxEnabledArg, + installutils.CmdlineSELinuxPermissiveArg} + + default: + return nil, fmt.Errorf("unknown SELinux mode (%s)", selinuxMode) + } + + return newSELinuxArgs, nil +} + // Update the SELinux kernel command-line args. func updateSELinuxCommandLineHelperAll(grub2Config string, selinuxMode imagecustomizerapi.SELinuxMode, allowMultiple bool, requireKernelOpts bool) (string, error) { newSELinuxArgs, err := selinuxModeToArgs(selinuxMode) diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go index 0d787584e28..fe7f05ebfe1 100644 --- a/toolkit/tools/pkg/osmodifierlib/modifierutils.go +++ b/toolkit/tools/pkg/osmodifierlib/modifierutils.go @@ -170,7 +170,7 @@ func handleSELinux(selinuxMode imagecustomizerapi.SELinuxMode, bootCustomizer *i logger.Log.Infof("Configuring SELinux mode") - err = bootCustomizer.UpdateSELinuxCommandLine(selinuxMode) + err = bootCustomizer.UpdateSELinuxCommandLineWithEnforcingArg(selinuxMode) if err != nil { return err }