Improve apparmor and selinux support.

Signed-off-by: Lantao Liu <lantaol@google.com>

cmd/cri-containerd/cri_containerd.go

@@ -51,9 +51,7 @@ func main() {
 		os.Exit(0)
 	}
 
-	if !o.EnableSelinux {
-		selinux.SetDisabled()
-	}
+	validateConfig(o)
 
 	glog.V(2).Infof("Run cri-containerd grpc server on socket %q", o.SocketPath)
 	s, err := server.NewCRIContainerdService(o.Config)
@@ -68,3 +66,13 @@ func main() {
 		glog.Exitf("Failed to run cri-containerd grpc server: %v", err)
 	}
 }
+
+func validateConfig(o *options.CRIContainerdOptions) {
+	if o.EnableSelinux {
+		if !selinux.GetEnabled() {
+			glog.Warning("Selinux is not supported")
+		}
+	} else {
+		selinux.SetDisabled()
+	}
+}

cmd/cri-containerd/options/options.go

@@ -64,9 +64,6 @@ type Config struct {
 	CgroupPath string `toml:"cgroup_path"`
 	// EnableSelinux indicates to enable the selinux support.
 	EnableSelinux bool `toml:"enable_selinux"`
-	// EnableAppArmor indicates to enable apparmor support. cri-containerd will
-	// apply default apparmor profile if apparmor is enabled.
-	EnableAppArmor bool `toml:"enable_apparmor"`
 	// SandboxImage is the image used by sandbox container.
 	SandboxImage string `toml:"sandbox_image"`
 }
@@ -114,8 +111,6 @@ func (c *CRIContainerdOptions) AddFlags(fs *pflag.FlagSet) {
 		"", "The cgroup that cri-containerd is part of. By default cri-containerd is not placed in a cgroup.")
 	fs.BoolVar(&c.EnableSelinux, "enable-selinux",
 		false, "Enable selinux support.")
-	fs.BoolVar(&c.EnableAppArmor, "enable-apparmor",
-		true, "Enable apparmor support. cri-containerd will apply default apparmor profile when apparmor is enabled.")
 	fs.StringVar(&c.SandboxImage, "sandbox-image",
 		"gcr.io/google_containers/pause:3.0", "The image used by sandbox container.")
 	fs.BoolVar(&c.PrintDefaultConfig, "default-config",