osbuilder: Create guest image for SELinux

Create a guest image to support SELinux for containers inside the guest if `SELINUX=yes` is specified. This works only if the guest rootfs is CentOS and the init service is systemd, not the agent init. To enable labeling the guest image on the host, selinuxfs must be mounted on the host. The kata-agent will be labeled as `container_runtime_exec_t` type. Fixes: #4812 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2025-09-12 12:29:11 +00:00 · 2022-08-08 09:42:41 +09:00
parent a9c746f284
commit a75f99d20d
4 changed files with 82 additions and 2 deletions
--- a/tools/osbuilder/rootfs-builder/centos/config.sh
+++ b/tools/osbuilder/rootfs-builder/centos/config.sh
@@ -8,10 +8,15 @@ OS_VERSION=${OS_VERSION:-stream9}
 PACKAGES="chrony iptables"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" systemd"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp"
+[ "$SELINUX" = yes ] && PACKAGES+=" container-selinux"

 # Container registry tag is different from metalink repo, e.g. "stream9" => "9-stream"
 os_repo_version="$(sed -E "s/(stream)(.+)/\2-\1/" <<< "$OS_VERSION")"

 METALINK="https://mirrors.centos.org/metalink?repo=centos-baseos-$os_repo_version&arch=\$basearch"
+if [ "$SELINUX" == yes ]; then
+    # AppStream repository is required for the container-selinux package
+    METALINK_APPSTREAM="https://mirrors.centos.org/metalink?repo=centos-appstream-$os_repo_version&arch=\$basearch"
+fi
 GPG_KEY_FILE=RPM-GPG-KEY-CentOS-Official
 GPG_KEY_URL="https://centos.org/keys/$GPG_KEY_FILE"
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -25,6 +25,7 @@ LIBC=${LIBC:-musl}
 # The kata agent enables seccomp feature.
 # However, it is not enforced by default: you need to enable that in the main configuration file.
 SECCOMP=${SECCOMP:-"yes"}
+SELINUX=${SELINUX:-"no"}

 lib_file="${script_dir}/../scripts/lib.sh"
 source "$lib_file"
@@ -142,6 +143,11 @@ ROOTFS_DIR          Path to the directory that is populated with the rootfs.
 SECCOMP             When set to "no", the kata-agent is built without seccomp capability.
                    Default value: "yes"

+SELINUX             When set to "yes", build the rootfs with the required packages to
+                    enable SELinux in the VM.
+                    Make sure the guest kernel is compiled with SELinux enabled.
+                    Default value: "no"
+
 USE_DOCKER          If set, build the rootfs inside a container (requires
                    Docker).
                    Default value: <not set>
@@ -346,6 +352,15 @@ build_rootfs_distro()

 	echo "Required rust version: $RUST_VERSION"

+	if [ "${SELINUX}" == "yes" ]; then
+		if [ "${AGENT_INIT}" == "yes" ]; then
+			die "Guest SELinux with the agent init is not supported yet"
+		fi
+		if [ "${distro}" != "centos" ]; then
+			die "The guest rootfs must be CentOS to enable guest SELinux"
+		fi
+	fi
+
 	if [ -z "${USE_DOCKER}" ] && [ -z "${USE_PODMAN}" ]; then
 		info "build directly"
 		build_rootfs ${ROOTFS_DIR}
@@ -426,6 +441,7 @@ build_rootfs_distro()
 			--env OS_VERSION="${OS_VERSION}" \
 			--env INSIDE_CONTAINER=1 \
 			--env SECCOMP="${SECCOMP}" \
+			--env SELINUX="${SELINUX}" \
 			--env DEBUG="${DEBUG}" \
 			--env HOME="/root" \
 			-v "${repo_dir}":"/kata-containers" \