fix: require SELinux Permissive mode for scenario tests (#414)

* Initial plan

* Add SELinux mode check and remove ContainerMountFlagZ

- Created SELinux helper functions in scenario/internal/testhelpers/selinux.go
- Added TestMain to scenario package to check SELinux mode before running tests
- Removed ContainerMountFlagZ from image_customize_test.go that caused issues with SELinux enforcing
- Tests now fail fast with clear error message if SELinux is in enforcing mode

Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

* Fix linting issues in SELinux test

- Changed test package to testhelpers_test for proper separation
- Use require.NoError instead of assert.NoError for error assertions
- Updated references to use qualified names with testhelpers prefix

Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

* Address code review feedback

- Consolidated multiple fmt.Fprintf calls into single call in setup_test.go
- Kept newline before error format specifier per repo coding standards

Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

* Use getenforce command instead of reading file directly

- Use exec.CommandContext with getenforce as primary method
- Fall back to reading /sys/fs/selinux/enforce if getenforce not available
- Leverages system's standard way of determining SELinux status

Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

* Use opencontainers/selinux package for SELinux detection

- Replaced custom implementation with github.com/opencontainers/selinux/go-selinux
- Simplified code by leveraging existing, well-maintained package
- Uses GetEnabled() and EnforceMode() from the package

Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

* Add comments explaining edge cases in SELinux detection

- Clarify that Disabled case is for completeness but shouldn't be reached
- Document that unknown modes are treated as disabled to avoid blocking tests

Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

* Remove redundant GetEnabled() check

- EnforceMode() already returns selinux.Disabled when SELinux is not enabled
- Simplified code by removing unnecessary GetEnabled() call
- Removed obsolete comment about unreachable case

Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

* Remove unused error return from GetSELinuxMode

- Function never returns an error, so simplified signature
- Updated callers to not handle error that can never occur
- Removed unused require import from test

Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

* Remove SELinux helper and use go-selinux APIs directly

- Deleted scenario/internal/testhelpers/selinux.go and selinux_test.go
- Updated setup_test.go to use selinux.EnforceMode() directly
- Simplified by removing wrapper types and using go-selinux constants
- go-selinux package now available for production code use

Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: tobiasb_microsoft <115835401+tobiasb_microsoft@users.noreply.github.com>

Author: Copilot

go.mod

@@ -35,6 +35,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20
 	github.com/muesli/termenv v0.16.0
 	github.com/nxadm/tail v1.4.11
+	github.com/opencontainers/selinux v1.13.1
 	github.com/pelletier/go-toml/v2 v2.2.4
 	github.com/samber/lo v1.52.0
 	github.com/samber/slog-multi v1.7.0
@@ -71,6 +72,7 @@ require (
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/cyphar/filepath-securejoin v0.5.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.6.0 // indirect

go.sum

@@ -77,6 +77,8 @@ github.com/creachadair/tomledit v0.0.29/go.mod h1:4SoTXxzHgvzHRMIJPw+o6zK/yXii4V
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
+github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48=
+github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -219,6 +221,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE=
+github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=

scenario/image_customize_test.go

@@ -113,7 +113,7 @@ fi
 			// Mount the docker socket to allow the container to run docker commands
 			containertest.NewContainerMount("/var/run/docker.sock", "/var/run/docker.sock", nil),
 			// Need to mount /dev to allow device mounting inside the container
-			containertest.NewContainerMount("/dev", "/dev", []containertest.ContainerMountFlag{containertest.ContainerMountFlagZ}),
+			containertest.NewContainerMount("/dev", "/dev", nil),
 			// Mount the output dir so we can see the output of the inner container in the outer container
 			containertest.NewContainerMount(outputDir, outputDir, nil),
 		})

scenario/setup_test.go

@@ -0,0 +1,46 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build scenario
+
+package scenario_tests
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/opencontainers/selinux/go-selinux"
+)
+
+// TestMain is the entry point for all scenario tests.
+// It checks SELinux mode and fails fast if it's in Enforcing mode.
+func TestMain(m *testing.M) {
+	// Check SELinux mode
+	mode := selinux.EnforceMode()
+
+	// Fail fast if SELinux is in Enforcing mode
+	if mode == selinux.Enforcing {
+		fmt.Fprintf(os.Stderr, `Scenario tests require SELinux to be in Permissive mode or disabled.
+Current SELinux mode: Enforcing
+
+To set SELinux to Permissive mode temporarily, run:
+  sudo setenforce 0
+
+To make it permanent, edit /etc/selinux/config and set:
+  SELINUX=permissive
+`)
+		os.Exit(1)
+	}
+
+	// Log the current SELinux mode for informational purposes
+	if mode == selinux.Permissive {
+		fmt.Printf("SELinux is in Permissive mode - tests will run.\n")
+	} else {
+		fmt.Printf("SELinux is disabled - tests will run.\n")
+	}
+
+	// Run the tests
+	os.Exit(m.Run())
+}
+