Update sebool template for bootable containers

docs/templates/template_reference.md

@@ -699,7 +699,7 @@ When the remediation is applied duplicate occurrences of `key` are removed.
         `var_selinuxuser_execheap` to turn on or off the SELinux
         boolean.
 
--   Languages: Ansible, Bash, OVAL
+-   Languages: Ansible, Bash, OVAL, SCE
 
 #### service_disabled
 -   Checks if a service is disabled. Uses either systemd or SysV init

shared/templates/sebool/bash.template

@@ -16,12 +16,18 @@
 {{{ bash_package_install("libsemanage-python") }}}
 {{% endif %}}
 
+if {{{ bash_bootc_build() }}} ; then
+    # In a container build environment setsebool generates many
+    # harmless warnings which can be ignored.
+    redirect_stderr="2>/dev/null"
+fi
+
 if selinuxenabled; then
 {{% if SEBOOL_BOOL %}}
-    setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}}
+    setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}} $redirect_stderr
 {{% else %}}
     {{{ bash_instantiate_variables("var_" + SEBOOLID) }}}
-    setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}}
+    setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}} $redirect_stderr
 {{% endif %}}
 else
     echo "Skipping remediation, SELinux is disabled";

shared/templates/sebool/sce-bash.template

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+# check-import = stdout
+{{% if not SEBOOL_BOOL %}}
+# check-export = var_{{{ SEBOOLID }}}=var_{{{ SEBOOLID }}}
+{{% endif %}}
+
+{{% if SEBOOL_BOOL -%}}
+expected_value="{{{ SEBOOL_BOOL }}}"
+{{%- else -%}}
+expected_value="$XCCDF_VALUE_var_{{{ SEBOOLID }}}"
+{{%- endif %}}
+
+seinfo -xb {{{ SEBOOLID }}} "$expected_value"

shared/templates/sebool/template.yml

@@ -2,3 +2,4 @@ supported_languages:
   - ansible
   - bash
   - oval
+  - sce-bash