Fix SELinux Mode Detection on No SELinux-Related Boot Params in Azure Linux 3.0+

[vinceaperri]

Since the SELinux LSM is loaded by default on Azure Linux 3.0+, when an image has no SELinux-related arguments specific on the kernel command line, it is expected that Image Customizer would read the SELinux config to determine the mode.

Instead, it treats this state as disabled, causing a cascade of failures, e.g. if any customizations are made that would require setfiles to be run.

This PR is a targeted fix for Azure Linux 3.0+ that accounts for the SELinux LSM being loaded. Behavior for other distributions and versions are unchanged, except Fedora, which we do not fully support, as it is expected that Fedora shares the same behavior of Azure Linux 4.0, which mirrors Fedora closely.

Note: This fix was discovered because Azure Linux 4.0 ships with SELinux enforced but without any SELinux-related arguments, leading to issues with testing.

Validated with new tests:

• TestBootCustomizerSELinuxMode40 (test data matches files shipped in Azure Linux 4.0 Alpha 2)
• TestGetSELinuxModeFromLinuxArgs_AllCombinations

[Copilot]

Pull request overview

This PR adjusts SELinux mode detection so that on newer Azure Linux images where the SELinux LSM is loaded by default, the absence of SELinux-related kernel command-line parameters defers to /etc/selinux/config instead of being treated as “disabled”.

Changes:

• Add distro-specific SELinux cmdline interpretation via DistroHandler.GetSELinuxModeFromLinuxArgs.
• Introduce a helper that treats missing SELinux cmdline args as “Default” (defer to config) for selected distros/versions.
• Add Azure Linux 4.0 boot config testdata and a new test covering the “no SELinux boot params” scenario.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
toolkit/tools/pkg/imagecustomizerlib/testdata/bootcfgtests/4.0-default-grub	Adds AZL 4.0 /etc/default/grub sample without SELinux args for test coverage.
toolkit/tools/pkg/imagecustomizerlib/testdata/bootcfgtests/4.0-grub.cfg	Adds/uses AZL 4.0 grub.cfg test fixture referenced by tests.
toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go	Adds getSELinuxModeFromLinuxArgsDeferIfMissing helper to defer when args are absent.
toolkit/tools/pkg/imagecustomizerlib/distrohandler.go	Extends DistroHandler with GetSELinuxModeFromLinuxArgs for distro/version-specific semantics.
toolkit/tools/pkg/imagecustomizerlib/distrohandler_azurelinux.go	Implements version-specific SELinux cmdline interpretation for Azure Linux.
toolkit/tools/pkg/imagecustomizerlib/distrohandler_fedora.go	Switches Fedora SELinux cmdline interpretation to the new “defer-if-missing” behavior.
toolkit/tools/pkg/imagecustomizerlib/distrohandler_acl.go	Implements the new interface method for ACL handler.
toolkit/tools/pkg/imagecustomizerlib/distrohandler_ubuntu.go	Implements the new interface method for Ubuntu handler.
toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go	Routes SELinux cmdline mode detection through the distro handler.
toolkit/tools/pkg/imagecustomizerlib/bootcustomizer_test.go	Adds AZL 4.0 SELinux-mode test and wires tests to pass a distro handler into BootCustomizer.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.