Having selinuxfs mounted might confuse some software, as conventional Linux systems do not have selinuxfs mounted when SELinux is disabled and no policy is loaded.
Fixes#10083
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Label mounted filesystems like ephemeral, overlay mounts, as well as data directories (going to become volumes later).
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Fixes#8900Closes#9687
(contains splitting of late mounts)
The benefits:
* tasks run _before_ controllers are started
* tasks can register `defer` to undo actions
This decomposes sequencer tasks a bit.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Conditionally mount selinuxfs only if it's present.
Fix AppArmor tests, `apparmor` and other minor LSM's and set
`apparmor=1`.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Part of: #9127
Label executables and processes, build, load and manage SELinux policy, enable audit support.
Labeling filesystems, devices and runtime files will be done in further changes, see the full PR.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Re-design some methods, simplify flows and allow more simple
interactions.
Learn from mistakes and design better methods.
Fixes#9471
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
