From 391d736968a3e81557674f5524a9cd7176f2935b Mon Sep 17 00:00:00 2001
From: Matus Marhefka <mmarhefk@redhat.com>
Date: Fri, 1 Nov 2024 16:50:52 +0100
Subject: [PATCH] Extend oscap-bootc to install SCE dependencies

Some SCE checks which are used instead of OVAL checks
when building a bootable container require additional
packages. This commit introduces `install_sce_dependencies`
function in `oscap-bootc` script which will handle their
installation.
---
 utils/oscap-bootc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/utils/oscap-bootc b/utils/oscap-bootc
index 83ef333419..8ac7c17b87 100755
--- a/utils/oscap-bootc
+++ b/utils/oscap-bootc
@@ -61,6 +61,19 @@ def ensure_sce_installed():
             "installed.")
 
 
+def install_sce_dependencies():
+    required_packages = [
+        "setools-console"  # seinfo is used by the sebool template
+    ]
+    install_cmd = ["dnf", "-y", "install"] + required_packages
+    install_process = subprocess.run(
+        install_cmd, universal_newlines=True,
+        stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+    if install_process.returncode != 0:
+        raise RuntimeError(
+            f"{install_process.stdout}\nFailed to install SCE dependencies.")
+
+
 def add_args(option_args_list, cmd):
     for o, a in option_args_list:
         if a:
@@ -112,6 +125,7 @@ def scan_and_remediate(args):
 def main():
     args = parse_args()
     ensure_sce_installed()
+    install_sce_dependencies()
     pre_scan_fix(args)
     scan_and_remediate(args)