42 lines
1.5 KiB
Markdown
42 lines
1.5 KiB
Markdown
# SELinux modules for GitLab
|
|
|
|
## RHEL / Centos 7
|
|
|
|
The following files are named by the GitLab version they were first
|
|
introduced. For example, `gitlab-7.2.0-ssh-keygen` maps to GitLab v7.2. Both
|
|
.te (Type Enforcement) and .pp (Project Policy) files are included.
|
|
|
|
For reference, we created the .pp files from the .te files by using the
|
|
following commands on CentOS:
|
|
|
|
```sh
|
|
checkmodule -M -m -o filename.mod filename.te
|
|
semodule_package -o filename.pp -m filename.mod
|
|
```
|
|
|
|
### rhel/7/gitlab-7.2.0-ssh-keygen.pp
|
|
|
|
GitLab handles SSH public keys and we want to verify whether users input valid
|
|
SSH keys using the ssh-keygen utility. Because ssh-keygen does not accept input
|
|
from standard input, we need to create a temporary file. This SELinux module
|
|
gives ssh-keygen permission to read the temporary file we create for it.
|
|
|
|
### rhel/7/gitlab-10.5.0-ssh-authorized-keys.pp
|
|
|
|
To support [fast SSH key lookups via the database](https://docs.gitlab.com/ee/administration/operations/fast_ssh_key_lookup.html)
|
|
GitLab needs additional permissions. This SELinux module gives sshd
|
|
permission to do the following:
|
|
|
|
* Write to /var/log/gitlab/gitlab-shell.log
|
|
* Connect to the internal API via unicorn on port 8080
|
|
|
|
Outside of the module, the gitlab-shell recipe also grants specific
|
|
permissions to read the files:
|
|
|
|
* /var/opt/gitlab/gitlab-shell/config.yml
|
|
* /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret
|
|
|
|
By default, SELinux allocates port 8080 to the http_cache_port_t context.
|
|
Note that if you have to change that port, you will have to create a custom
|
|
SELinux module to accommodate that.
|