diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md
index e1f5e4f906ea..11af2c115d5c 100644
--- a/docs/manual/developer/06_contributing_with_content.md
+++ b/docs/manual/developer/06_contributing_with_content.md
@@ -825,6 +825,13 @@ are unique to SCE:
it is not necessary. Additionally, OCIL checks, if any is present in the
`rule.yml`, are added as a top-level OR-operator `` with
the results of this ``.
+ - `environment`: can be `normal`, `bootc`, `any`.
+ The default value that is used when this key is not set is `normal`.
+ This key specifies the environment in which the SCE check can run in.
+ This way you can restrict some SCE checks to run or not run in Image mode.
+ If set to `bootc`, the SCE check code will be modified to not run outside of the bootable image build process.
+ If set to `normal`, the SCE check code will be modified to not run during the bootable image build process.
+ If set to `any`, the SCE check code will not be modified and therefore will run in any environment.
For an example of SCE content, consider the check:
diff --git a/shared/templates/sebool/sce-bash.template b/shared/templates/sebool/sce-bash.template
index 143aedfe1d8d..87a442ecbcc2 100644
--- a/shared/templates/sebool/sce-bash.template
+++ b/shared/templates/sebool/sce-bash.template
@@ -1,4 +1,5 @@
#!/usr/bin/env bash
+# environment = bootc
# check-import = stdout
{{% if not SEBOOL_BOOL %}}
# check-export = var_{{{ SEBOOLID }}}=var_{{{ SEBOOLID }}}
diff --git a/shared/templates/service_disabled/sce-bash.template b/shared/templates/service_disabled/sce-bash.template
index 84addf8e8ccf..4d86b9fdc99d 100644
--- a/shared/templates/service_disabled/sce-bash.template
+++ b/shared/templates/service_disabled/sce-bash.template
@@ -1,5 +1,6 @@
#!/bin/bash
# check-import = stdout
+# environment = bootc
if [[ $(systemctl is-enabled {{{ DAEMONNAME }}}.service) == "masked" ]] ; then
exit "$XCCDF_RESULT_PASS"
fi
diff --git a/shared/templates/service_enabled/sce-bash.template b/shared/templates/service_enabled/sce-bash.template
index 5d33a00d3a68..03254c17170f 100644
--- a/shared/templates/service_enabled/sce-bash.template
+++ b/shared/templates/service_enabled/sce-bash.template
@@ -1,4 +1,5 @@
#!/bin/bash
+# environment = bootc
# check-import = stdout
if [[ $(systemctl is-enabled {{{ DAEMONNAME }}}.service) == "enabled" ]] ; then
exit "$XCCDF_RESULT_PASS"
diff --git a/shared/templates/socket_disabled/sce-bash.template b/shared/templates/socket_disabled/sce-bash.template
index 2b27cd73ba6a..3b0cca18f0cd 100644
--- a/shared/templates/socket_disabled/sce-bash.template
+++ b/shared/templates/socket_disabled/sce-bash.template
@@ -1,4 +1,5 @@
#!/bin/bash
+# environment = bootc
# check-import = stdout
if [[ $(systemctl is-enabled {{{ SOCKETNAME }}}.socket) == "masked" ]] ; then
exit "$XCCDF_RESULT_PASS"
diff --git a/shared/templates/sysctl/sce-bash.template b/shared/templates/sysctl/sce-bash.template
index 54a120e983e0..352b701f9b0d 100644
--- a/shared/templates/sysctl/sce-bash.template
+++ b/shared/templates/sysctl/sce-bash.template
@@ -1,4 +1,5 @@
#!/usr/bin/env bash
+# environment = bootc
# check-import = stdout
{{% if SYSCTLVAL == "" %}}
# check-export = sysctl_{{{ SYSCTLID }}}_value=sysctl_{{{ SYSCTLID }}}_value
diff --git a/shared/templates/timer_enabled/sce-bash.template b/shared/templates/timer_enabled/sce-bash.template
index 53101b496dd4..a09354aa3873 100644
--- a/shared/templates/timer_enabled/sce-bash.template
+++ b/shared/templates/timer_enabled/sce-bash.template
@@ -1,4 +1,5 @@
#!/bin/bash
+# environment = bootc
# check-import = stdout
if [[ $(systemctl is-enabled {{{ TIMERNAME }}}.timer) == "enabled" ]] ; then
exit "$XCCDF_RESULT_PASS"
diff --git a/ssg/build_sce.py b/ssg/build_sce.py
index 110a73f76174..a77d57ad098e 100644
--- a/ssg/build_sce.py
+++ b/ssg/build_sce.py
@@ -34,12 +34,33 @@ def load_sce_and_metadata(file_path, local_env_yaml):
return load_sce_and_metadata_parsed(raw_content)
+def _modify_sce_with_environment(sce_content, environment):
+ if environment == "any":
+ return
+ if environment == "bootc":
+ condition = "\"$OSCAP_BOOTC_BUILD\" == \"YES\""
+ if environment == "normal":
+ condition = "\"$OSCAP_BOOTC_BUILD\" != \"YES\""
+ for i in range(len(sce_content)):
+ if len(sce_content[i]) > 0:
+ sce_content[i] = (4 * " ") + sce_content[i]
+ sce_content.insert(0, f"if [[ {condition} ]] ; then")
+ sce_content.append("else")
+ sce_content.append(" echo \"The SCE check can't run in this environment.\"")
+ sce_content.append(" exit \"$XCCDF_RESULT_ERROR\"")
+ sce_content.append("fi")
+
+
def load_sce_and_metadata_parsed(raw_content):
metadata = dict()
sce_content = []
- keywords = ['platform', 'check-import', 'check-export', 'complex-check']
+ keywords = ['platform', 'check-import', 'check-export', 'complex-check', 'environment']
+ shebang = "#!/usr/bin/bash"
for line in raw_content.split("\n"):
+ if line.startswith("#!"):
+ shebang = line
+ continue
found_metadata = False
for keyword in keywords:
if not line.startswith('# ' + keyword + ' = '):
@@ -66,6 +87,17 @@ def load_sce_and_metadata_parsed(raw_content):
if 'platform' in metadata:
metadata['platform'] = metadata['platform'].split(',')
+ if "environment" not in metadata:
+ metadata["environment"] = "normal"
+ environment_options = ["normal", "bootc", "any"]
+ if metadata["environment"] not in environment_options:
+ raise RuntimeError(
+ f"Wrong value of the 'environment' headers: "
+ f"{metadata["environment"]}. It needs to be one of "
+ f"{", ".join(environment_options)}")
+
+ _modify_sce_with_environment(sce_content, metadata["environment"])
+ sce_content.insert(0, shebang)
return "\n".join(sce_content), metadata