Remove util/selinux package

The package says:

> the libcontainer SELinux package is only built for Linux, so it is
> necessary to have a NOP wrapper which is built for non-Linux platforms

This is not true, Kubernetes now imports
github.com/opencontainers/selinux/go-selinux and it has proper
multiplatform support (i.e. NOOP on non-Linux platforms).

Removing the whole package and calling go-selinux directly.

pkg/kubelet/cm/devicemanager/manager.go

@@ -28,6 +28,7 @@ import (
 	"time"
 
 	cadvisorapi "github.com/google/cadvisor/info/v1"
+	"github.com/opencontainers/selinux/go-selinux"
 	"google.golang.org/grpc"
 	"k8s.io/klog/v2"
 
@@ -48,7 +49,6 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/metrics"
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
 	schedulerframework "k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/util/selinux"
 )
 
 const nodeWithoutTopology = -1
@@ -259,7 +259,7 @@ func (m *ManagerImpl) Start(activePods ActivePodsFunc, sourcesReady config.Sourc
 	if err = os.MkdirAll(m.socketdir, 0750); err != nil {
 		return err
 	}
-	if selinux.SELinuxEnabled() {
+	if selinux.GetEnabled() {
 		if err := selinux.SetFileLabel(m.socketdir, config.KubeletPluginsDirSELinuxLabel); err != nil {
 			klog.InfoS("Unprivileged containerized plugins might not work. Could not set selinux context on socket dir", "path", m.socketdir, "err", err)
 		}

pkg/kubelet/kubelet.go

@@ -32,6 +32,7 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/opencontainers/selinux/go-selinux"
 	"k8s.io/client-go/informers"
 
 	cadvisorapi "github.com/google/cadvisor/info/v1"
@@ -109,7 +110,6 @@ import (
 	"k8s.io/kubernetes/pkg/security/apparmor"
 	sysctlallowlist "k8s.io/kubernetes/pkg/security/podsecuritypolicy/sysctl"
 	"k8s.io/kubernetes/pkg/util/oom"
-	"k8s.io/kubernetes/pkg/util/selinux"
 	"k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/csi"
 	"k8s.io/kubernetes/pkg/volume/util/hostutil"
@@ -1265,7 +1265,7 @@ func (kl *Kubelet) setupDataDirs() error {
 	if err := os.MkdirAll(kl.getPodResourcesDir(), 0750); err != nil {
 		return fmt.Errorf("error creating podresources directory: %v", err)
 	}
-	if selinux.SELinuxEnabled() {
+	if selinux.GetEnabled() {
 		err := selinux.SetFileLabel(pluginRegistrationDir, config.KubeletPluginsDirSELinuxLabel)
 		if err != nil {
 			klog.InfoS("Unprivileged containerized plugins might not work, could not set selinux context on plugin registration dir", "path", pluginRegistrationDir, "err", err)

pkg/kubelet/kuberuntime/kuberuntime_container.go

@@ -34,6 +34,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/opencontainers/selinux/go-selinux"
 	grpcstatus "google.golang.org/grpc/status"
 
 	"github.com/armon/circbuf"
@@ -51,7 +52,6 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/events"
 	"k8s.io/kubernetes/pkg/kubelet/types"
 	"k8s.io/kubernetes/pkg/kubelet/util/format"
-	"k8s.io/kubernetes/pkg/util/selinux"
 	"k8s.io/kubernetes/pkg/util/tail"
 	volumeutil "k8s.io/kubernetes/pkg/volume/util"
 )
@@ -378,7 +378,7 @@ func (m *kubeGenericRuntimeManager) makeMounts(opts *kubecontainer.RunContainerO
 
 	for idx := range opts.Mounts {
 		v := opts.Mounts[idx]
-		selinuxRelabel := v.SELinuxRelabel && selinux.SELinuxEnabled()
+		selinuxRelabel := v.SELinuxRelabel && selinux.GetEnabled()
 		mount := &runtimeapi.Mount{
 			HostPath:       v.HostPath,
 			ContainerPath:  v.ContainerPath,
@@ -418,7 +418,7 @@ func (m *kubeGenericRuntimeManager) makeMounts(opts *kubecontainer.RunContainerO
 			// Volume Mounts fail on Windows if it is not of the form C:/
 			containerLogPath = volumeutil.MakeAbsolutePath(goruntime.GOOS, containerLogPath)
 			terminationMessagePath := volumeutil.MakeAbsolutePath(goruntime.GOOS, container.TerminationMessagePath)
-			selinuxRelabel := selinux.SELinuxEnabled()
+			selinuxRelabel := selinux.GetEnabled()
 			volumeMounts = append(volumeMounts, &runtimeapi.Mount{
 				HostPath:       containerLogPath,
 				ContainerPath:  terminationMessagePath,

pkg/util/selinux/doc.go

@@ -1,19 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package selinux contains wrapper functions for the libcontainer SELinux
-// package.  A NOP implementation is provided for non-linux platforms.
-package selinux // import "k8s.io/kubernetes/pkg/util/selinux"

pkg/util/selinux/selinux.go

@@ -1,39 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package selinux
-
-// Note: the libcontainer SELinux package is only built for Linux, so it is
-// necessary to have a NOP wrapper which is built for non-Linux platforms to
-// allow code that links to this package not to differentiate its own methods
-// for Linux and non-Linux platforms.
-//
-// SELinuxRunner wraps certain libcontainer SELinux calls. For more
-// information, see:
-//
-// https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go
-type SELinuxRunner interface {
-	// Getfilecon returns the SELinux context for the given path or returns an
-	// error.
-	Getfilecon(path string) (string, error)
-}
-
-// NewSELinuxRunner returns a new SELinuxRunner appropriate for the platform.
-// On Linux, all methods short-circuit and return NOP values if SELinux is
-// disabled. On non-Linux platforms, a NOP implementation is returned.
-func NewSELinuxRunner() SELinuxRunner {
-	return &realSELinuxRunner{}
-}

pkg/util/selinux/selinux_linux.go

@@ -1,58 +0,0 @@
-//go:build linux
-// +build linux
-
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package selinux
-
-import (
-	selinux "github.com/opencontainers/selinux/go-selinux"
-)
-
-// SELinuxEnabled returns whether SELinux is enabled on the system.  SELinux
-// has a tri-state:
-//
-// 1.  disabled: SELinux Kernel modules not loaded, SELinux policy is not
-//     checked during Kernel MAC checks
-// 2.  enforcing: Enabled; SELinux policy violations are denied and logged
-//     in the audit log
-// 3.  permissive: Enabled, but SELinux policy violations are permitted and
-//     logged in the audit log
-//
-// SELinuxEnabled returns true if SELinux is enforcing or permissive, and
-// false if it is disabled.
-func SELinuxEnabled() bool {
-	return selinux.GetEnabled()
-}
-
-// realSELinuxRunner is the real implementation of SELinuxRunner interface for
-// Linux.
-type realSELinuxRunner struct{}
-
-var _ SELinuxRunner = &realSELinuxRunner{}
-
-func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
-	if !SELinuxEnabled() {
-		return "", nil
-	}
-	return selinux.FileLabel(path)
-}
-
-// SetFileLabel applies the SELinux label on the path or returns an error.
-func SetFileLabel(path string, label string) error {
-	return selinux.SetFileLabel(path, label)
-}

pkg/util/selinux/selinux_unsupported.go

@@ -1,39 +0,0 @@
-//go:build !linux
-// +build !linux
-
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package selinux
-
-// SELinuxEnabled always returns false on non-linux platforms.
-func SELinuxEnabled() bool {
-	return false
-}
-
-// realSELinuxRunner is the NOP implementation of the SELinuxRunner interface.
-type realSELinuxRunner struct{}
-
-var _ SELinuxRunner = &realSELinuxRunner{}
-
-func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
-	return "", nil
-}
-
-// FileLabel returns the SELinux label for this path or returns an error.
-func SetFileLabel(path string, label string) error {
-	return nil
-}

pkg/volume/util/hostutil/hostutil_linux.go

@@ -27,9 +27,9 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/opencontainers/selinux/go-selinux"
 	"golang.org/x/sys/unix"
 	"k8s.io/klog/v2"
-	"k8s.io/kubernetes/pkg/util/selinux"
 	"k8s.io/mount-utils"
 	utilpath "k8s.io/utils/path"
 )
@@ -263,7 +263,7 @@ func GetSELinux(path string, mountInfoFilename string, selinuxEnabled seLinuxEna
 // GetSELinuxSupport returns true if given path is on a mount that supports
 // SELinux.
 func (hu *HostUtil) GetSELinuxSupport(pathname string) (bool, error) {
-	return GetSELinux(pathname, procMountInfoPath, selinux.SELinuxEnabled)
+	return GetSELinux(pathname, procMountInfoPath, selinux.GetEnabled)
 }
 
 // GetOwner returns the integer ID for the user and group of the given path