fix: Defer to /etc/selinux/config when parameters are not present in azl4

Co-authored-by: Copilot <copilot@github.com>

Author: vinceaperri

toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go

@@ -197,7 +197,7 @@ func (b *BootCustomizer) getSELinuxModeFromCmdline(buildDir string, imageChroot
 	}
 
 	// Get the SELinux mode from the kernel command-line args.
-	selinuxMode, err := getSELinuxModeFromLinuxArgs(args)
+	selinuxMode, err := b.distroHandler.GetSELinuxModeFromLinuxArgs(args)
 	if err != nil {
 		return imagecustomizerapi.SELinuxModeDefault, false, err
 	}

toolkit/tools/pkg/imagecustomizerlib/bootcustomizer_test.go

@@ -185,6 +185,12 @@ func TestBootCustomizerSELinuxMode40(t *testing.T) {
 	err = b.UpdateSELinuxCommandLine(imagecustomizerapi.SELinuxModeDisabled)
 	assert.NoError(t, err)
 
+	// Explicit selinux=0 must read back as Disabled (not Default).
+	selinuxMode, found, err = b.getSELinuxModeFromCmdline("", nil)
+	assert.NoError(t, err)
+	assert.True(t, found)
+	assert.Equal(t, imagecustomizerapi.SELinuxModeDisabled, selinuxMode)
+
 	expectedDefaultGrubFileDiff := `7a8
 > GRUB_CMDLINE_LINUX=" selinux=0 "
 `
@@ -193,6 +199,12 @@ func TestBootCustomizerSELinuxMode40(t *testing.T) {
 	err = b.UpdateSELinuxCommandLine(imagecustomizerapi.SELinuxModePermissive)
 	assert.NoError(t, err)
 
+	// "security=selinux selinux=1" without enforcing=1 means the kernel defers to /etc/selinux/config.
+	selinuxMode, found, err = b.getSELinuxModeFromCmdline("", nil)
+	assert.NoError(t, err)
+	assert.True(t, found)
+	assert.Equal(t, imagecustomizerapi.SELinuxModeDefault, selinuxMode)
+
 	expectedDefaultGrubFileDiff = `7a8
 > GRUB_CMDLINE_LINUX=" security=selinux selinux=1 "
 `
@@ -201,6 +213,12 @@ func TestBootCustomizerSELinuxMode40(t *testing.T) {
 	err = b.UpdateSELinuxCommandLine(imagecustomizerapi.SELinuxModeForceEnforcing)
 	assert.NoError(t, err)
 
+	// enforcing=1 alongside the security/selinux pair locks the mode to enforcing.
+	selinuxMode, found, err = b.getSELinuxModeFromCmdline("", nil)
+	assert.NoError(t, err)
+	assert.True(t, found)
+	assert.Equal(t, imagecustomizerapi.SELinuxModeForceEnforcing, selinuxMode)
+
 	expectedDefaultGrubFileDiff = `7a8
 > GRUB_CMDLINE_LINUX="  security=selinux selinux=1 enforcing=1 "
 `
@@ -290,20 +308,21 @@ func calcDiff(t *testing.T, oldPath string, newContent string) string {
 
 func createBootCustomizerFor20(t *testing.T) *BootCustomizer {
 	return createBootCustomizer(t, filepath.Join(testDir, sampleGrubCfg20Path),
-		filepath.Join(testDir, sampleDefaultGrub20Path), false)
+		filepath.Join(testDir, sampleDefaultGrub20Path), false, newAzureLinuxDistroHandler("2.0"))
 }
 
 func createBootCustomizerFor30(t *testing.T) *BootCustomizer {
 	return createBootCustomizer(t, filepath.Join(testDir, sampleGrubCfg30Path),
-		filepath.Join(testDir, sampleDefaultGrub30Path), true)
+		filepath.Join(testDir, sampleDefaultGrub30Path), true, newAzureLinuxDistroHandler("3.0"))
 }
 
 func createBootCustomizerFor40(t *testing.T) *BootCustomizer {
 	return createBootCustomizer(t, filepath.Join(testDir, sampleGrubCfg40Path),
-		filepath.Join(testDir, sampleDefaultGrub40Path), true)
+		filepath.Join(testDir, sampleDefaultGrub40Path), true, newAzureLinuxDistroHandler("4.0"))
 }
 
 func createBootCustomizer(t *testing.T, sampleGrubCfgPath string, sampleDefaultGrubFilePath string, isGrubMkconfig bool,
+	distroHandler DistroHandler,
 ) *BootCustomizer {
 	sampleGrubCfgContent, err := os.ReadFile(sampleGrubCfgPath)
 	assert.NoError(t, err, "failed to read sample grub.cfg file")
@@ -320,6 +339,7 @@ func createBootCustomizer(t *testing.T, sampleGrubCfgPath string, sampleDefaultG
 		grubCfgContent:         string(sampleGrubCfgContent),
 		defaultGrubFileContent: string(sampleDefaultGrubFileContent),
 		bootConfigType:         bootConfigType,
+		distroHandler:          distroHandler,
 	}
 	return b
 }

toolkit/tools/pkg/imagecustomizerlib/distrohandler.go

@@ -55,6 +55,12 @@ type DistroHandler interface {
 	// Reports whether SELinux configuration is supported by the tool for this distro.
 	SELinuxSupported() bool
 
+	// GetSELinuxModeFromLinuxArgs interprets parsed kernel command-line args and returns the effective SELinux mode
+	// the kernel will boot with. Returns SELinuxModeDefault to indicate the caller should fall back to reading
+	// /etc/selinux/config. Distros differ in how to interpret the absence of any SELinux args (e.g. legacy Azure
+	// Linux 2.0/3.0 treat missing args as Disabled, while Azure Linux 4.0 defer to the config file).
+	GetSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg) (imagecustomizerapi.SELinuxMode, error)
+
 	// ReadGrub2ConfigFile reads the distro-appropriate grub.cfg file from the chroot.
 	ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error)
 

toolkit/tools/pkg/imagecustomizerlib/distrohandler_azurelinux.go

@@ -108,6 +108,19 @@ func (d *azureLinuxDistroHandler) SELinuxSupported() bool {
 	return true
 }
 
+// GetSELinuxModeFromLinuxArgs interprets parsed kernel command-line args.
+// Azure Linux 2.0/3.0 historically treat missing SELinux cmdline args as disabled (their kernels do not honor
+// /etc/selinux/config without cmdline args). Azure Linux 4.0 honors /etc/selinux/config when no SELinux cmdline
+// args are present, so it must defer instead of returning Disabled.
+func (d *azureLinuxDistroHandler) GetSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg,
+) (imagecustomizerapi.SELinuxMode, error) {
+	if d.version == "4.0" {
+		return getSELinuxModeFromLinuxArgsDeferIfMissing(args)
+	}
+
+	return getSELinuxModeFromLinuxArgs(args)
+}
+
 func (d *azureLinuxDistroHandler) ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error) {
 	return readGrub2ConfigFile(imageChroot, installutils.FedoraGrubCfgFile)
 }

toolkit/tools/pkg/imagecustomizerlib/distrohandler_fedora.go

@@ -93,6 +93,11 @@ func (d *fedoraDistroHandler) SELinuxSupported() bool {
 	return true
 }
 
+func (d *fedoraDistroHandler) GetSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg,
+) (imagecustomizerapi.SELinuxMode, error) {
+	return getSELinuxModeFromLinuxArgsDeferIfMissing(args)
+}
+
 func (d *fedoraDistroHandler) ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error) {
 	return readGrub2ConfigFile(imageChroot, installutils.FedoraGrubCfgFile)
 }

toolkit/tools/pkg/imagecustomizerlib/distrohandler_ubuntu.go

@@ -114,6 +114,11 @@ func (d *ubuntuDistroHandler) SELinuxSupported() bool {
 	return false
 }
 
+func (d *ubuntuDistroHandler) GetSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg,
+) (imagecustomizerapi.SELinuxMode, error) {
+	return getSELinuxModeFromLinuxArgsDeferIfMissing(args)
+}
+
 func (d *ubuntuDistroHandler) ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error) {
 	return readGrub2ConfigFile(imageChroot, installutils.DebianGrubCfgFile)
 }

toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go

@@ -762,6 +762,29 @@ func getSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg) (imagecustomizerapi.
 	return imagecustomizerapi.SELinuxModeDefault, nil
 }
 
+// getSELinuxModeFromLinuxArgsDeferIfMissing wraps getSELinuxModeFromLinuxArgs so that absent SELinux cmdline args
+// resolve to SELinuxModeDefault (defer to /etc/selinux/config) rather than SELinuxModeDisabled.
+//
+// Suitable for distros where the kernel honors /etc/selinux/config when no SELinux cmdline args are present
+// (e.g. Azure Linux 4.0, Fedora, Ubuntu). Legacy Azure Linux 2.0/3.0 must keep calling getSELinuxModeFromLinuxArgs
+// directly to preserve their historical "missing args == disabled" behavior.
+func getSELinuxModeFromLinuxArgsDeferIfMissing(args []grubConfigLinuxArg) (imagecustomizerapi.SELinuxMode, error) {
+	mode, err := getSELinuxModeFromLinuxArgs(args)
+	if err != nil || mode != imagecustomizerapi.SELinuxModeDisabled {
+		return mode, err
+	}
+
+	// Distinguish explicit selinux=0 (truly disabled) from missing args (defer to config file).
+	selinuxValue, err := findKernelCommandLineArgValue(args, "selinux")
+	if err != nil {
+		return imagecustomizerapi.SELinuxModeDefault, err
+	}
+	if selinuxValue == "0" {
+		return imagecustomizerapi.SELinuxModeDisabled, nil
+	}
+	return imagecustomizerapi.SELinuxModeDefault, nil
+}
+
 // Gets the SELinux mode set by the /etc/selinux/config file.
 func getSELinuxModeFromConfigFile(imageChroot safechroot.ChrootInterface) (imagecustomizerapi.SELinuxMode, error) {
 	selinuxConfigFilePath := filepath.Join(imageChroot.RootDir(), installutils.SELinuxConfigFile)