dashboard/config: re-enable selinux

Upstream "selinux: fix mounting of cgroup2 under older policies"
commit fixes mounting of cgroup2 under wheezy selinux policy.
So don't disable selinux on start.
Create separate cmdline arguments that enable selinux and apparmor.

5 files changed, 10 insertions, 5 deletions

diff --git a/dashboard/config/upstream-apparmor.cmdline b/dashboard/config/upstream-apparmor.cmdline
new file mode 100644
index 000000000..1a85912cb
--- /dev/null
+++ b/dashboard/config/upstream-apparmor.cmdline
@@ -0,0 +1,9 @@
+security=apparmor
+workqueue.watchdog_thresh=140
+kvm-intel.nested=1
+nf-conntrack-ftp.ports=20000
+nf-conntrack-tftp.ports=20000
+nf-conntrack-sip.ports=20000
+nf-conntrack-irc.ports=20000
+nf-conntrack-sane.ports=20000
+nopcid
diff --git a/dashboard/config/upstream.cmdline b/dashboard/config/upstream-selinux.cmdline
index b475f380a..fbfc9f6f9 100644
--- a/dashboard/config/upstream.cmdline
+++ b/dashboard/config/upstream-selinux.cmdline
@@ -1,3 +1,4 @@
+security=selinux
 workqueue.watchdog_thresh=140
 kvm-intel.nested=1
 nf-conntrack-ftp.ports=20000
diff --git a/pkg/build/linux_generated.go b/pkg/build/linux_generated.go
index 11a00bba4..14df94954 100644
--- a/pkg/build/linux_generated.go
+++ b/pkg/build/linux_generated.go
@@ -67,7 +67,6 @@ for i in {0..31}; do
 	echo "KERNEL==\"binder$i\", NAME=\"binder$i\", MODE=\"0666\"" | \
 		sudo tee -a disk.mnt/etc/udev/50-binder.rules
 done
-echo 'SELINUX=disabled' | sudo tee disk.mnt/etc/selinux/config
 
 echo "kernel.printk = 7 4 1 3" | sudo tee -a disk.mnt/etc/sysctl.conf
 echo "debug.exception-trace = 0" | sudo tee -a disk.mnt/etc/sysctl.conf
diff --git a/tools/create-gce-image.sh b/tools/create-gce-image.sh
index 177c208ee..0db7fc065 100755
--- a/tools/create-gce-image.sh
+++ b/tools/create-gce-image.sh
@@ -108,9 +108,6 @@ for i in {0..31}; do
 	echo "KERNEL==\"binder$i\", NAME=\"binder$i\", MODE=\"0666\"" | \
 		sudo tee -a disk.mnt/etc/udev/50-binder.rules
 done
-# We disable selinux for now because the default policy on wheezy prevents
-# mounting of cgroup2 (and stretch we don't know how to configure yet).
-echo 'SELINUX=disabled' | sudo tee disk.mnt/etc/selinux/config
 
 # sysctls
 echo "kernel.printk = 7 4 1 3" | sudo tee -a disk.mnt/etc/sysctl.conf
diff --git a/tools/create-image.sh b/tools/create-image.sh
index a0ad610c8..91eb0a133 100755
--- a/tools/create-image.sh
+++ b/tools/create-image.sh
@@ -19,7 +19,6 @@ echo 'T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100' | sudo tee -a $DIR/etc/in
 printf '\nauto eth0\niface eth0 inet dhcp\n' | sudo tee -a $DIR/etc/network/interfaces
 echo 'debugfs /sys/kernel/debug debugfs defaults 0 0' | sudo tee -a $DIR/etc/fstab
 echo 'binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc defaults 0 0' | sudo tee -a $DIR/etc/fstab
-echo 'SELINUX=disabled' | sudo tee $DIR/etc/selinux/config
 echo "kernel.printk = 7 4 1 3" | sudo tee -a $DIR/etc/sysctl.conf
 echo 'debug.exception-trace = 0' | sudo tee -a $DIR/etc/sysctl.conf
 echo "net.core.bpf_jit_enable = 1" | sudo tee -a $DIR/etc/sysctl.conf