From 4db7d6be643f9e7c9c3b81d3945b8d2c3e4c5269 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 6 Feb 2021 03:02:08 -0500
Subject: [PATCH] hide-hardware-info: allow unrestricting selinuxfs

On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
---
 etc/hide-hardware-info.d/30_default.conf |  3 +++
 usr/lib/security-misc/hide-hardware-info | 14 ++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf
index 252e0b6..88344bc 100644
--- a/etc/hide-hardware-info.d/30_default.conf
+++ b/etc/hide-hardware-info.d/30_default.conf
@@ -6,3 +6,6 @@
 
 ## Disable the /proc/cpuinfo whitelist.
 #cpuinfo_whitelist=0
+
+## Disable selinux mode.
+#selinux=0
diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info
index 36ddc29..78f3f9b 100755
--- a/usr/lib/security-misc/hide-hardware-info
+++ b/usr/lib/security-misc/hide-hardware-info
@@ -7,6 +7,7 @@ set -e
 
 sysfs_whitelist=1
 cpuinfo_whitelist=1
+selinux=1
 
 shopt -s nullglob
 
@@ -76,3 +77,16 @@ do
     fi
   fi
 done
+
+## on SELinux systems, at least /sys/fs/selinux
+## must be visible to unprivileged users, else
+## SELinux userspace utilities will not function
+## properly
+if [ -d /sys/fs/selinux ]; then
+    if [ "${selinux}" = "1" ]; then
+        chmod o+rx /sys /sys/fs /sys/fs/selinux
+        echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
+    else
+        echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
+    fi
+fi