Remove unused files and cleanup (#14435)

Author: jiria

toolkit/imageconfigs/files/linuxguard/99-dhcp-eth0.network

@@ -15,10 +15,7 @@ boolean -m -1 init_mounton_non_security
 login -m -s ci_unconfined_u -r 's0' root
 login -m -s ci_unconfined_u -r 's0' __default__
 fcontext -a -f f -t bin_t -r 's0' '/etc/grub\.d/.*'
-fcontext -a -f d -t root_t -r 's0' '/overlays'
-fcontext -a -f d -t lost_found_t -r 's0' '/overlays/lost\+found'
 fcontext -a -f f -t fsadm_exec_t -r 's0' '/usr/bin/lsblk'
 fcontext -a -f f -t dockerd_exec_t -r 's0' '/usr/bin/tardev-snapshotter'
 fcontext -a -f f -t bin_t -r 's0' '/usr/share/netplan/netplan\.script'
-fcontext -a -e / /rw
 fcontext -a -e /etc/selinux /usr/etc/selinux

toolkit/imageconfigs/files/linuxguard/no-password-prompt-on-sudo

@@ -164,8 +164,6 @@ os:
     # SELinux customizations
     - source: files/linuxguard/selinux-ci-uki.semanage
       destination: /etc/selinux/targeted/selinux-ci.semanage
-    - source: files/linuxguard/99-dhcp-eth0.network
-      destination: /etc/systemd/network/99-dhcp-eth0.network
     # Cloud-init configuration
     - source: files/linuxguard/cloud.cfg
       destination: /etc/cloud/cloud.cfg
@@ -182,9 +180,9 @@ scripts:
     - path: scripts/linuxguard/performance-tuning.sh
     # Config AzureLinuxagent
     - path: scripts/linuxguard/azlinuxagentconfig.sh
-    - path: scripts/linuxguard/duid-type-to-link-layer.sh
     # Disable unused SELinux policy modules and configure SELinux policy for CI
-    - path: scripts/linuxguard/selinux-ci-config.sh
+    - path: scripts/linuxguard/selinux-ci-config.py
+      interpreter: /usr/bin/python3
     - path: scripts/linuxguard/cleanup-machineid.sh
     - path: scripts/linuxguard/prepare_trusted_cni_plugins.sh
     - path: scripts/linuxguard/tmp-no-exec.sh

toolkit/imageconfigs/files/linuxguard/selinux-ci-uki.semanage

@@ -3,12 +3,6 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
-sha_keys_dir="/etc/ssh"
-echo "Updating AzureLinuxAgent config"
-sed -i "/OS.SshDir/c\OS.SshDir=${sha_keys_dir}" /etc/waagent.conf
-if ! grep -q "OS.SshDir" /etc/waagent.conf; then
-    sed -i "$ a OS.SshDir=${sha_keys_dir}" /etc/waagent.conf
-fi
 sed -i "/AutoUpdate.Enabled/d" /etc/waagent.conf
 sed -i "/AutoUpdate.UpdateToLatestVersion=y/c\AutoUpdate.UpdateToLatestVersion=n" /etc/waagent.conf
 if ! grep -q "AutoUpdate.UpdateToLatestVersion=n" /etc/waagent.conf; then

toolkit/imageconfigs/files/linuxguard/sshd-keygen.service

@@ -1,27 +1,29 @@
-#!/bin/bash
+#!/usr/bin/python3
 
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
-set -eux
+import os
+from semanage import (
+    semanage_module_key_create,
+    semanage_module_key_set_name,
+    semanage_module_set_enabled,
+)
+import seobject
+import shutil
+import subprocess
 
 # import SELinux policy CI customizations.  This is installed by MIC
-semanage import -f /etc/selinux/targeted/selinux-ci.semanage
-
-# MIC expects customization scripts to be bash scripts.
-python_script=$(cat << EOF
-#!/usr/bin/python3
+subprocess.run(
+    ["semanage", "import", "-f", "/etc/selinux/targeted/selinux-ci.semanage"],
+    check=True,
+)
 
 #
 # Module disabling done by script instead of 'semanage import' so new
 # modules are disabled by default
 #
 
-from semanage import (semanage_module_key_create,
-                      semanage_module_key_set_name,
-                      semanage_module_set_enabled)
-import seobject
-
 ENABLED_MODULES: set[str] = {
     "base",
     "application",
@@ -39,14 +41,14 @@
     "chronyd",
     "dbus",
     "dmesg",
-    "docker", # handles docker and containerd
+    "docker",  # handles docker and containerd
     "fstools",
     "getty",
     "gpg",
     "hostname",
     "hotfix",
     "hypervkvp",
-    "init", # systemd
+    "init",  # systemd
     "iptables",
     "irqbalance",
     "kerberos",
@@ -56,7 +58,7 @@
     "logging",
     "libraries",
     "logrotate",
-    "lvm", # includes dm, cryptsetup, etc.
+    "lvm",  # includes dm, cryptsetup, etc.
     "miscfiles",
     "modutils",
     "mount",
@@ -66,7 +68,7 @@
     "ntp",
     "oddjob",
     "openvswitch",
-    "podman", # there is a hard dependency for this in crio
+    "podman",  # there is a hard dependency for this in crio
     "policykit",
     "qemu",
     "rdisc",
@@ -90,7 +92,7 @@
     "usermanage",
     "uuidd",
     "virt",
-    "xdg", # required by systemd
+    "xdg",  # required by systemd
 }
 
 records = seobject.moduleRecords()
@@ -123,15 +125,10 @@
     semanage_module_set_enabled(handle, key, 1)
 
 records.commit()
-EOF
-)
-
-/usr/bin/python3 -c "$python_script"
 
 # Move policy to /usr
-if [ ! -d /usr/etc/selinux ]; then
-    mkdir -p /usr/etc
-    mv /etc/selinux /usr/etc/selinux
+if not os.path.isdir("/usr/etc/selinux"):
+    os.makedirs("/usr/etc", exist_ok=True)
+    shutil.move("/etc/selinux", "/usr/etc/selinux")
     # add backwards compatibility for /etc/selinux
-    ln -sf ../usr/etc/selinux /etc/selinux
-fi
+    os.symlink("../usr/etc/selinux", "/etc/selinux")