From 07efcbebadd9e2a7a966c10ca8cb96294828c0df Mon Sep 17 00:00:00 2001
From: Matus Marhefka <mmarhefk@redhat.com>
Date: Thu, 31 Oct 2024 17:27:25 +0100
Subject: [PATCH] Update sebool template for bootable containers

---
 docs/templates/template_reference.md      |  2 +-
 shared/templates/sebool/bash.template     | 10 ++++++++--
 shared/templates/sebool/sce-bash.template | 13 +++++++++++++
 shared/templates/sebool/template.yml      |  1 +
 4 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 shared/templates/sebool/sce-bash.template

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index 38f2464102f..695296df6a2 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -699,7 +699,7 @@ When the remediation is applied duplicate occurrences of `key` are removed.
         `var_selinuxuser_execheap` to turn on or off the SELinux
         boolean.
 
--   Languages: Ansible, Bash, OVAL
+-   Languages: Ansible, Bash, OVAL, SCE
 
 #### service_disabled
 -   Checks if a service is disabled. Uses either systemd or SysV init
diff --git a/shared/templates/sebool/bash.template b/shared/templates/sebool/bash.template
index 7bc1bd15d35..8c059d3d672 100644
--- a/shared/templates/sebool/bash.template
+++ b/shared/templates/sebool/bash.template
@@ -16,12 +16,18 @@
 {{{ bash_package_install("libsemanage-python") }}}
 {{% endif %}}
 
+if {{{ bash_bootc_build() }}} ; then
+    # In a container build environment setsebool generates many
+    # harmless warnings which can be ignored.
+    redirect_stderr="2>/dev/null"
+fi
+
 if selinuxenabled; then
 {{% if SEBOOL_BOOL %}}
-    setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}}
+    setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}} $redirect_stderr
 {{% else %}}
     {{{ bash_instantiate_variables("var_" + SEBOOLID) }}}
-    setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}}
+    setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}} $redirect_stderr
 {{% endif %}}
 else
     echo "Skipping remediation, SELinux is disabled";
diff --git a/shared/templates/sebool/sce-bash.template b/shared/templates/sebool/sce-bash.template
new file mode 100644
index 00000000000..c5a22f03ffc
--- /dev/null
+++ b/shared/templates/sebool/sce-bash.template
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+# check-import = stdout
+{{% if not SEBOOL_BOOL %}}
+# check-export = var_{{{ SEBOOLID }}}=var_{{{ SEBOOLID }}}
+{{% endif %}}
+
+{{% if SEBOOL_BOOL -%}}
+expected_value="{{{ SEBOOL_BOOL }}}"
+{{%- else -%}}
+expected_value="$XCCDF_VALUE_var_{{{ SEBOOLID }}}"
+{{%- endif %}}
+
+seinfo -xb {{{ SEBOOLID }}} "$expected_value"
diff --git a/shared/templates/sebool/template.yml b/shared/templates/sebool/template.yml
index b57de6fbb63..f084d352593 100644
--- a/shared/templates/sebool/template.yml
+++ b/shared/templates/sebool/template.yml
@@ -2,3 +2,4 @@ supported_languages:
   - ansible
   - bash
   - oval
+  - sce-bash