gitlab
/
omnibus-gitlab
mirror of https://gitlab.com/gitlab-org/omnibus-gitlab.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
omnibus-gitlab/files/gitlab-selinux
History
Robert Marshall 362ebe59b7 Consolidate SELinux policy into one module 
- Create a single versioned SELinux policy module for GitLab similar to
  other policy module components.
- The first iteration of the consolidated policy is opt-in if the user
  sets `package['selinux_policy_version'] to anything other than nil.

Closes https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/7453

Closes https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8235

Changelog: changed
Signed-off-by: Robert Marshall <rmarshall@gitlab.com>
 		2024-02-15 06:30:18 +00:00
..
README.md Fix SELinux documentation link 2020-09-26 06:04:22 +00:00
gitlab-7.2.0-ssh-keygen.te Generate SELinux policy module with package 2023-10-16 05:18:44 +00:00
gitlab-10.5.0-ssh-authorized-keys.te Generate SELinux policy module with package 2023-10-16 05:18:44 +00:00
gitlab-13.5.0-gitlab-shell.te Generate SELinux policy module with package 2023-10-16 05:18:44 +00:00
gitlab.te Consolidate SELinux policy into one module 2024-02-15 06:30:18 +00:00

README.md

SELinux modules for GitLab

RHEL / Centos 7

The following files are named by the GitLab version they were first introduced. For example, gitlab-7.2.0-ssh-keygen maps to GitLab v7.2. Both .te (Type Enforcement) and .pp (Project Policy) files are included.

For reference, we created the .pp files from the .te files by using the following commands on CentOS:

checkmodule -M -m -o filename.mod filename.te
semodule_package -o filename.pp -m filename.mod

rhel/7/gitlab-7.2.0-ssh-keygen.pp

GitLab handles SSH public keys and we want to verify whether users input valid SSH keys using the ssh-keygen utility. Because ssh-keygen does not accept input from standard input, we need to create a temporary file. This SELinux module gives ssh-keygen permission to read the temporary file we create for it.

rhel/7/gitlab-10.5.0-ssh-authorized-keys.pp

To support fast SSH key lookups via the database GitLab needs additional permissions. This SELinux module gives sshd permission to do the following:

  • Write to /var/log/gitlab/gitlab-shell.log
  • Connect to the internal API via unicorn on port 8080

Outside of the module, the gitlab-shell recipe also grants specific permissions to read the files:

  • /var/opt/gitlab/gitlab-shell/config.yml
  • /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret

By default, SELinux allocates port 8080 to the http_cache_port_t context. Note that if you have to change that port, you will have to create a custom SELinux module to accommodate that.