Update sebool template for bootable containers

docs/templates/template_reference.md

@@ -699,7 +699,7 @@ When the remediation is applied duplicate occurrences of `key` are removed.
         `var_selinuxuser_execheap` to turn on or off the SELinux
         boolean.
 
--   Languages: Ansible, Bash, OVAL
+-   Languages: Ansible, Bash, OVAL, SCE
 
 #### service_disabled
 -   Checks if a service is disabled. Uses either systemd or SysV init

shared/templates/sebool/bash.template

@@ -16,7 +16,7 @@
 {{{ bash_package_install("libsemanage-python") }}}
 {{% endif %}}
 
-if selinuxenabled; then
+if selinuxenabled || {{{ bash_bootc_build() }}} ; then
 {{% if SEBOOL_BOOL %}}
     setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}}
 {{% else %}}

shared/templates/sebool/sce-bash.template

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# check-import = stdout
+{{% if not SEBOOL_BOOL %}}
+# check-export = var_{{{ SEBOOLID }}}=var_{{{ SEBOOLID }}}
+{{% endif %}}
+
+function check_sebool_value()
+{
+    local seboolid="$1"
+    local exp_value="$2"
+
+    if seinfo -xb "$seboolid" | grep -q "$seboolid[[:space:]]\+$exp_value;" ; then
+        return $XCCDF_RESULT_PASS
+    else
+        return $XCCDF_RESULT_FAIL
+    fi
+}
+
+{{% if SEBOOL_BOOL -%}}
+expected_value="{{{ SEBOOL_BOOL }}}"
+{{%- else -%}}
+expected_value="$XCCDF_VALUE_var_{{{ SEBOOLID }}}"
+{{%- endif %}}
+
+check_sebool_value {{{ SEBOOLID }}} "$expected_value"
+exit $?

shared/templates/sebool/template.yml

@@ -2,3 +2,4 @@ supported_languages:
   - ansible
   - bash
   - oval
+  - sce-bash