osbuilder: Create guest image for SELinux

Create a guest image to support SELinux for containers inside the guest if `SELINUX=yes` is specified. This works only if the guest rootfs is CentOS and the init service is systemd, not the agent init. To enable labeling the guest image on the host, selinuxfs must be mounted on the host. The kata-agent will be labeled as `container_runtime_exec_t` type. Fixes: #4812 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2025-09-16 22:39:01 +00:00 · 2022-08-08 09:42:41 +09:00
parent a9c746f284
commit a75f99d20d
4 changed files with 82 additions and 2 deletions
--- a/tools/osbuilder/scripts/lib.sh
+++ b/tools/osbuilder/scripts/lib.sh
@@ -79,7 +79,23 @@ gpgcheck=1
 gpgkey=file://${CONFIG_DIR}/${GPG_KEY_FILE}
 EOF
 	fi
-
+	if [ "$SELINUX" == "yes" ]; then
+		cat > "${DNF_CONF}" << EOF
+[appstream]
+name=${OS_NAME}-${OS_VERSION} upstream
+releasever=${OS_VERSION}
+EOF
+		echo "metalink=$METALINK_APPSTREAM" >> "$DNF_CONF"
+		if [ -n "$GPG_KEY_URL" ]; then
+			if [ ! -f "${CONFIG_DIR}/${GPG_KEY_FILE}" ]; then
+				curl -L "${GPG_KEY_URL}" -o "${CONFIG_DIR}/${GPG_KEY_FILE}"
+			fi
+			cat >> "${DNF_CONF}" << EOF
+gpgcheck=1
+gpgkey=file://${CONFIG_DIR}/${GPG_KEY_FILE}
+EOF
+		fi
+	fi
 }

 build_rootfs()