[RFE] Enforce SELinux on all Mantle tests

[tormath1]

Current situation

Now the SELinux container policy is about to land on Alpha, let's investigate on the tests with permissive SELinux and see what's missing to switch to enforce mode.

Ideal future situation

All the tests are running with SELinux enforced.

Implementation options

Here's the current list:

• [ ] bpf.execsnoop
• [ ] bpf.local-gadget
• [ ] devcontainer.docker
• [ ] kubeadm.*.flannel.base (https://github.com/flatcar/Flatcar/issues/779 and https://github.com/flatcar/Flatcar/issues/635)
• [ ] cl.misc.nvidia
• [ ] cl.misc.falco (https://github.com/flatcar/Flatcar/issues/783)

Additional information

To proceed:

• enable the enforce mode
• run the test
• grep journalctl for denials (AVC)
• check what's missing and if it can be upstreamed

[pothos]

All the tests are running with SELinux enforced.

I would say: "enforced from Ignition". Currently it's switched on after the instance booted and this is not what users would do, they would rather enable it from Ignition and of course also have this setting persist over reboots. We don't test this currently and while we can catch a few issues, this test setup makes little sense for the real world.

[tormath1]

@pothos correct, as already attempted here: https://github.com/flatcar/mantle/pull/252 but I think we can already solve the remaining tests mentioned above and then see what's missing (relabeling) before enabling tests from Ignition/kargs