Skip to content

Understanding SELinux policies in AutoSD images

Understanding SELinux policies in AutoSD images

SELinux enforces mandatory access control in AutoSD images, restricting what each process can access at the kernel level. By default, Automotive Image Builder enables SELinux in enforcing mode with the targeted policy. In general, most images require no SELinux manifest configuration beyond the default settings.

Default SELinux configuration

By default, every image built with Automotive Image Builder ships with the following SELinux settings:

  • Mode: enforcing
  • Policy: targeted (AutoSD distributions override this to automotive)
  • Booleans: none set (system defaults apply)

The AIB base default is targeted, but the distro configuration files for AutoSD-based targets set the SELinux policy type to automotive. The automotive policy extends targeted with labels for automotive-specific process types. If built with a QM partition, the QM package is automatically added and provides labels for nested container isolation within the QM partition (qm_t). Processes without a specific SELinux type run in the unconfined_t domain.

Manifest-level SELinux options

To adjust SELinux behavior in an OS image, you can configure three options in the AIB manifest under the image section:

  • selinux_mode -- Set to enforcing (default) or permissive. Permissive mode logs policy violations without blocking them, which can be useful during development and testing.
  • selinux_policy -- Specify a custom policy name. The default is targeted.
  • selinux_booleans -- Override individual SELinux boolean values to enable or disable specific policy features.

The following code shows sample values for selinux_mode and selinux_booleans:

image:
  selinux_mode: enforcing
  selinux_booleans:
    container_use_devices: true

For the full manifest option reference, see the SELinux configuration section in Creating a custom manifest.

When to use custom policies

The default targeted policy covers standard system services and container isolation. Use custom SELinux policies when applications require access patterns that the default policy does not permit, for example in the following use cases:

  • IPC between the QM partition and the root partition using Unix domain sockets or named shared memory
  • Applications that access hardware devices from within containers
  • Cross-partition communication channels that need fine-grained access control

For background on how SELinux enforces isolation between the QM partition and the root partition, see Enhancing security for containers with SELinux in the QM partition.

Custom policy workflow overview

Custom SELinux policies extend the base targeted policy with additional types, labels, and access rules for your applications. The workflow uses selcraft, a tool that generates SELinux policy modules from a declarative YAML configuration.

The high-level workflow consists of the following steps:

  1. Define applications, IPC resources, and permissions in a selcraft configuration file.
  2. Run selcraft to generate the policy source and build an installable RPM package.
  3. Host the RPM in a local repository accessible to the build.
  4. Add the repository and policy RPM to the AIB manifest.
  5. Build the image with aib build.

Selcraft generates policy from a declarative configuration rather than requiring you to write raw .te policy source files. The generated policy RPM installs alongside the base targeted policy without replacing it.

For a working example, see the sample code in the demos/custom_selinux_policy/ directory in the sig-docs demos repository.

Enforcing SELinux settings with AIB policies

Automotive Image Builder (AIB) supports a policy system (--policy flag and .aibp.yml policy files) that can enforce SELinux boolean settings across all builds that use the policy. Policy files are useful for production environments where you need to guarantee consistent SELinux configuration.

For the complete policy system documentation, including policy file format, the built-in hardened policy, and policy resolution order, see Understanding AIB build policies.

Next steps

For step-by-step instructions on creating and installing a custom SELinux policy, see Creating custom SELinux policies.