OS Guard: Remove unnecessary SELinux context mapping and enable SELinux and IPE lockout module (#14546)

tardev-snapshotter is not present or used in our linuxguard / osguard
images. So remove SELinux label for it.

Also enable azureci_prod SELinux module to prevent tampering with
SELinux and IPE settings at runtime.

Signed-off-by: Chris Co <[email protected]>

Author: christopherco

toolkit/imageconfigs/files/linuxguard/selinux-ci-uki.semanage

@@ -16,6 +16,5 @@ login -m -s ci_unconfined_u -r 's0' root
 login -m -s ci_unconfined_u -r 's0' __default__
 fcontext -a -f f -t bin_t -r 's0' '/etc/grub\.d/.*'
 fcontext -a -f f -t fsadm_exec_t -r 's0' '/usr/bin/lsblk'
-fcontext -a -f f -t dockerd_exec_t -r 's0' '/usr/bin/tardev-snapshotter'
 fcontext -a -f f -t bin_t -r 's0' '/usr/share/netplan/netplan\.script'
 fcontext -a -e /etc/selinux /usr/etc/selinux

toolkit/imageconfigs/files/osguard/selinux-ci-uki.semanage

@@ -16,6 +16,5 @@ login -m -s ci_unconfined_u -r 's0' root
 login -m -s ci_unconfined_u -r 's0' __default__
 fcontext -a -f f -t bin_t -r 's0' '/etc/grub\.d/.*'
 fcontext -a -f f -t fsadm_exec_t -r 's0' '/usr/bin/lsblk'
-fcontext -a -f f -t dockerd_exec_t -r 's0' '/usr/bin/tardev-snapshotter'
 fcontext -a -f f -t bin_t -r 's0' '/usr/share/netplan/netplan\.script'
 fcontext -a -e /etc/selinux /usr/etc/selinux

toolkit/imageconfigs/scripts/common/selinux-ci-config.py

@@ -30,6 +30,7 @@
     "authlogin",
     "azureci",
     "azureci_deletions",
+    "azureci_prod", # enables SELinux and IPE lockout
     "bootloader",
     "brctl",
     "clock",