feat: Add SELinux detection and helpful error messages for image build failures (#431)

Copilot · damcilva_microsoft · tobiasb_microsoft · web-flow · commit 533474cdb917 · 2026-02-05T18:14:17.000-08:00
Co-authored-by: damcilva_microsoft &lt;115752616+damcilva_microsoft@users.noreply.github.com&gt;
Co-authored-by: tobiasb_microsoft &lt;115835401+tobiasb_microsoft@users.noreply.github.com&gt;
Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
diff --git a/internal/utils/kiwi/kiwi.go b/internal/utils/kiwi/kiwi.go
@@ -19,6 +19,7 @@ import (
 	"github.com/gim-home/azldev-preview/internal/global/opctx"
 	"github.com/gim-home/azldev-preview/internal/utils/fileutils"
 	"github.com/gim-home/azldev-preview/internal/utils/prereqs"
+	"github.com/opencontainers/selinux/go-selinux"
 )
 
 const (
@@ -277,12 +278,28 @@ func (r *Runner) Build(ctx context.Context) error {
 
 	err = cmd.Run(ctx)
 	if err != nil {
-		return fmt.Errorf("kiwi build failed:\n%w", err)
+		return enhanceKiwiError(err)
 	}
 
 	return nil
 }
 
+// enhanceKiwiError checks if SELinux is enforcing and provides helpful guidance if so.
+func enhanceKiwiError(err error) error {
+	// If SELinux is enforcing, provide helpful guidance
+	if selinux.EnforceMode() == selinux.Enforcing {
+		return fmt.Errorf("kiwi build failed:\n%w\n\n"+
+			"SELinux is in enforcing mode, which may cause permission issues during image builds.\n"+
+			"To work around this, temporarily disable SELinux:\n"+
+			"  sudo setenforce 0\n"+
+			"  azldev image build <image-name>\n"+
+			"  sudo setenforce 1", err)
+	}
+
+	// For other cases, return the original error
+	return fmt.Errorf("kiwi build failed:\n%w", err)
+}
+
 // CheckPrerequisites verifies that required tools are available for running kiwi-ng.
 // This checks for sudo, kiwi, and sgdisk (used by kiwi for disk partitioning).
 func CheckPrerequisites(ctx opctx.Ctx) error {
